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EXECUTIVE SUMMARY 

On January 7, 2001, the Genesis spacecraft lifted off from Cape Canaveral. Its mission was to collect 
solar wind samples and return those samples to Earth for detailed analysis by scientists. The mission 
proceeded successfully for three- and -a-half years. On September 8, 2004, the spacecraft approached 
Earth, pointed the Sample Return Capsule (SRC) at its entry target, and then fired pyros that 
jettisoned the SRC. The SRC carried the valuable samples collected over the prior 29 months. The 
SRC also contained the requisite hardware (mechanisms, parachutes, and electronics) to manage the 
process of entry 7 , descent, and landing (EDL). After entering Earth’s atmosphere, the SRC was 
expected to open a drogue parachute. This should have been followed by a pyro event to release the 
drogue chute, and then by a pvro event to deploy the main parachute at an approximate elevation of 
6.7 kilometers. As the SRC descended to the Utah landing site, helicopters were in position to 
capture the SRC before the capsule touched down. 

On September 8, 2004, observers of the SRC’s triumphant return became concerned as the 
NASA announcer fell silent, and then became even more alarmed as they watched the spacecraft 
tumble as it streaked across the sky. Long-distance cameras clearly showed that the drogue parachute 
had not deployed properly. 

On September 9, 2004, General Eugene Tattini, Deputy 7 Director of the Jet Propulsion 
Laboratory 7 formed a Failure Review Board (FRB). This board was charged with investigating the 
cause of the Genesis mishap in close concert with the NASA Mishap Investigation Board (MIB). The 
JPL-FRB was populated with experts from within and external to the Jet Propulsion Laboratory. The 
JPL-FRB participated with the NASA-MIB through all phases of the investigation, working jointly 
and concurrendy as one team to discover the facts of the mishap. Board members are listed below. 
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A comprehensive Mission Fault Tree (MFT) was developed focusing on the “drogue parachute 
not deployed” fault. The MFT contained a catalog of approximately 80 leaf faults, which fell into 4 
major categories. 

■ Electrical power failure in the SRC 

■ Avionic failure in the SRC 
• Hamess/connector failure 

■ Drogue system failure 

A careful examination of the MFT concluded that a failure within the Avionics SRC was the only 
credible fault. In addition, Lockheed Martin Aerospace came forward shortly after the impact with 
evidence that indicated the G-switches were the only common point which could have caused the 
failure and the events seen. Upon further analysis, it was discovered that the G-switch was designed 
and placed in the SRC- Avionics Unit (AU) 180 degrees out of phase. However, no comprehensive 
system or board level tests were performed prelaunch that might have uncovered the design error. 

The JPL-FRB was also asked to investigate the contingency planning and systems safer,' em- 
ployed during the Genesis mishap. It was already known that, upon impact and recover}’, a number 
of personnel were close to the return canister. A review of the contingency plans was initiated to 
ensure proper procedures had been followed, and to improve plans and procedures, as necessary. 

The JPL-FRB developed a number of root causes and recommendations to improve future 
performance. The following is a list of those root causes and specific recommendations. 

Systems Engineering. There was a lack of penetradon and oversight by the JPL and contractor 
systems engineering teams. 

R1 (Recommendation 1): Ensure that JPL is involved in all program system verification 
changes 

R2: Assign JPL mission mode systems engineers for critical mission events 
R3: Develop an incompressible test list and monitor its completeness 
R4: Use a common risk management system across the project 
Project Management. The JPL development project manager empowered the LMA project 
manager for all aspects of the design, build, and verification of the hardware and software in 
accordance with the verification matrix. Neither JPL nor LMA had a systems engineering staff 
large enough to perform the appropriate systems checks and balances. LMA’s Genesis 
performance was a best effort within a profit and loss cost constraint. 

R5: Require JPL project managers to institute a formal process for systems engineering checks 
and balances with specific responsibility, accountability, and authority for systems and 
subsystems 

R6: Change the fee structure for a profit-and-loss contractor to a fixed fee of 4% to 6% with an 
award fee of 9% to 11%, based principally on cost and program management performance. 
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Heritage. The project utilized a high-heritage design for the SRC-Avionics Unit during the proposal 
phase. Shortly thereafter, the layout heritage of the SRC-AU was significantly modified. The 
project, however, did not truly understand that the heritage was broken and, consequently, more 
careful oversight was needed. 

R7: Ensure that heritage hardware goes through the same strenuous verification and review 
process as new designs. 

Test As You Fly. The project during development and integration did not develop a comprehensive 
Test As You Fly exceptions list. The lack of an end to end test to verify correct phasing of the 
G-switches, or an independent review of the “verify by inspection/analysis” descope to eliminate 
the phasing test was a “last: chance” to have uncovered the design error. 

R8: Develop a comprehensive Test As You Fly exceptions list and present it at each major 
review. 

Red Team Reviews. Genesis was the first project to implement the red team concept. Due to the 
fast pace of the review, many red team members did not have the time to probe deeply enough 
to ascertain the soundness of the verification process. 

R9: Hold a project Independent Readiness Review, headed by the systems engineering team 
members assigned to the project, and augmented by a systems engineering/ chief engineering 
staff assigned to a core organization (in this case JPL). 

Inadequate Resources to Properly Prepare for the Event. A shortcoming of the Genesis 
preparation was the minimal amount of coordinated training for recovery. 

RIO: Update JPL Flight Project Practices to identify adequate funding and schedule margin during 
the late mission time frame necessary to support late mission-critical activities. 

Insufficient Leadership Attention. “Safety first” was not an adequate part of the whole 

management approach. Although there was a directive to comply with safety issues, especially in 
the area of PPE, issued by the project manager, there was no obvious commitment to do so by 
the other members of the project leadership. 

Rll: Require safety plans for sample return missions to be approved and signed off by the 
cognizant “Director-for” for both the safety organization and the project directorate. 

Inconsistent Contingency Planning and Preparation. There was no single document defining 
the contingency plan and associated operations. There were no training exercises for the various 
contingency situations. 

R12: Provide project management training to ensure necessary 7 attention is given to contingency 
plans; incorporate a section on safety and contingency planning into project manager workshops. 
R13: Require a single overarching contingency plan at the project level for all missions. 

Poor Communication at the Scene. Personnel on the scene were not equipped with proper 
communication capabilities; consequently, intentions were confused and conflicting. 

R14: Clearly identify requirements for recovery-type missions to ensure effective communication 
between the project manager and the on-site personnel, as well as among on-site personnel. 
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1. GENESIS MISSION DESCRIPTION 

1.1 Background 

The Genesis mission was conceived about a decade ago, when Don Burnett of Caltech, Ben Clark of 
Lockheed Martin Aeronautics (LMA), and Marcia Neugebauer of the )et Propulsion Laboratory 
(JPL) developed the concept of a mission to return solar matter to Earth for laboratory isotopic and 
chemical analyses. After several years of early feasibility- planning, a multi-institutional team was 
created to respond to the 1995 Discovery IV NASA request for proposals. A Phase A mission 
analysis was completed (then called “Suess-Urey”) during Discovery' IV, but the proposal finished a 
close second to Stardust in a field of about 30 entries. The team was reassembled in 1 997 to prepare 
an improved submission for Discovery V, and this time Genesis won. Phase B of Genesis began in 
December of that y-ear and ended on July 31, 1998. 

1.1 Science 

The Sun continuously emits a stream of energetic ions, a phenomenon known as the “solar wind.” 
Current scientific theory’ suggests that the elemental composition of the solar wind broadly mirrors 
that of the outer regions of the Sun. Since the Sun contains most of the mass in the solar system, it 
makes sense that the composition of the Sun, essentially by definition, would also be the average 
composition of the solar system. Differences in composition between the Sun and various other 
parts of the solar system (e.g., planets, asteroids, comets) form the average for the solar system in 
regard to particular elements or isotopes. Examining such differences is widely recognized as the 
most powerful way to probe the conditions prevailing, and processes that occurred, during the 
formation and evolution of the solar system. In general, theories of planet formation and evolution 
lead to predictions of the elemental and isotopic composition of the various bodies in the solar 
system relative to the average for the solar system. Solar composition provides a baseline for 
assessing fractionation and loss processes in solar system bodies, particularly for volatiles. It also 
provides a basis for judging the veracity of various theories of solar system formation. 

1.1.1 Science Objectives 

These were the baseline Genesis science objectives: 

* Achieve a major improvement in our knowledge of the average chemical and isotopic 
composition of the solar system. 

* Provide a reservoir of solar material for twenty-first century' science. 

* Create greatly improved models of the nebular processes driving the formation of planetary 
materials and the various bodies in the solar system (planets, comets, asteroids, Kuiper belt, 
bodies y'et to be discovered, etc.). 

From a consideration of which elements and isotopes were most important for study, a set of 
prioritized measurement objectives was developed (Table 1-1). Based on feasibility', some 
measurements were scheduled for early analysis and publication (i.e., w-ithin one year after sample 
return) to ensure the timeliness of reporting mission results. These are designated as “early science 
return” in the table. 
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T able 1 -1 . Prioritized Measurement Objectives 

Required Objectives 
1 . O isotopes 

1 . N isotopes in bulk solar wind 3 
1 . Noble gas elements and isotopes 3 
1 . Noble gas elements and isotopes; regimes 
Non-Required Objectives 
1 . C isotopes 3 

1 . C isotopes in different solar wind regimes 

1. Mg, Ca, Ti, Cr, and Ba isotopes 

1 . Key first ionization potential elements 

1 . Mass 80-1 00 and 1 20-1 40 b elemental abundance patterns 

1 . Survey of solar vs. terrestrial isotopic differences 

1 . Noble gas and N elements and isotopes for higher energy solar articles 

1. Li/Be/B elemental and isotopic abundances 

1 . Radioactive nuclei in the solar wind 3 

1 . F abundance 

1 . Pt-group elemental abundances 
1 . Key s-process heavy elements 
1 . Heavy vs. light element comparisons 
1 . Solar rare-Earth elements abundance pattern 
1 . Comparison of solar and chondritic elemental abundances 
a Early science return “Atomic units 


1.1.1 Science Requirements 

The Genesis Science Requirements document (JPL D-31427) defines requirements on: 

* Placement of solar wind collectors 

* Surface area of solar wind collectors 

* Durauon of collecdon 

* Thermal constraints 

* Contamination constraints 

* Performance of the solar wind concentrator 

■ Performance of the solar wind monitors 

* Fields-of-view and pointing 

* Data 

■ Curating and archiving of returned samples 
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1.2 Mission Design 

The Genesis spacecraft was launched on a low-energy trajectory (C3 = —0.6) to LI, the so-called 
Sun-Earth libration point, approximately 1.5 million km away from the Earth (approximately 1% of 
the Earth-Sun distance). This placed the spacecraft in a location where the gravitational pulls of the 
Sun and Earth are balanced, well beyond the confounding influence of Earth’s magnetosphere. 
During the 3-month cruise to LI, the Sample Return Capsule (SRC) was open-facing to the Sun. 


The spacecraft was placed into an elliptical halo orbit (axes 700,000 x 300,000 km, 6-month 
period) in a plane approximately perpendicular to the Earth— Sun line, allowing long dwell times with 
minimum propellant expenditure. After orbit insertion, the ultra-pure collectors were exposed to the 
incoming solar wind flux, allowing ions from the solar wind to be implanted and accumulated in the 
collector materials. After 22 months, the collectors were stowed in a contamination-tight canister and 
returned to Earth (Figure 1-1). The design called for separation of the SRC from the spacecraft, and 
re-entry into the atmosphere for recovery 7 in the Utah Training Test Range (UTTR). A 19-day 7 
parking orbit prior to Earth entry 7 was available, if necessary 7 . 
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Figure 1-1 . Genesis mission trajectory 
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1.3 System Architecture 

The. Genesis system has three major elements: 

® The payload 
K The sample return capsule 

" The spacecraft engineering platform (e.g., the spacecraft) 

The pavload was enclosed within the SRC and mounted to the spacecraft deck for launch and flight. 

1.3.1 Payload 

The Genesis payload, the means for acquiring solar wind samples and encapsulating them in a 
canister for return to Earth, was designed to serve the following functions: 

* Provide critical data to determine which of three specific regimes of solar wind is prevalent 
at any time; 

* Expose ultra-clean passive arrays of collector materials to the solar wind outside of Earth’s 
magnetosphere, and thereby collect solar matter for approximately 2 years; 

* Concentrate bv a factor of >20:1 and capture N, O, and other light elements onto a target 
for laboratory chemical analysis; and 

* Provide an ultra-clean canister to keep collection materials contamination-free. 

The major design constraint on the payload was to utilize as large a collection area as possible while 
minimizing risks of contamination or malfunction. The wafer-thin solar wind collectors were 
mounted on rigid arrays for maximum hardness and deployed in space by means of simple rigid 
rotations (Figure 1-2). Collector arrays and concentrator were kept very’ clean by housing them in a 
sealed canister. The diameter of the SRC was made as large as possible to maximize the exposed area 
of solar wind collectors, while remaining within launch vehicle mass and diameter limits (1 .46 m 
maximum SRC diameter accommodates 0.85 m maximum canister envelope diameter). 

The payload consisted of 

■ Five arrays of solar wind collectors 

* An electrostatic concentrator to concentrate the fluence of N, O, and other light ions in the 
solar wind onto a small target for collection 

* A canister in the SRC for storing the collectors and concentrator in an ultra-clean 
environment 

* A pair of solar wind monitor instruments for determining the regime of solar wind at any 
time in order to control deployment of collectors and voltages on the concentrator 

1.3. 1. 1 Pa yload Science 

Collecting samples from different regimes enables an important capability' to correct for possible 
differences between composition of the solar wind and the outer layers of the Sun. Genesis used ion 
and electron monitors to measure properties of the solar wind. The three major solar wind regimes 
were: 

■ High-speed streams from coronal holes 

■ Low-speed interstream wind 

■ Transient wind associated with coronal mass ejections 
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The monitors were mounted on the 
spacecraft bus and measure properties such as: 

* H/He ratio 

* Bulk wind velocity 

* Ion and electron temperatures 

* Densities 

* Angular distribution of electrons 

These data were fed into an expert system 
resident in the spacecraft computer that sensed 
solar wind flux in real time. When such a 
change occured, the system commanded 
mechanical actuators to expose the proper 
individual solar wind collector array and 
change the voltage on the concentrator 
appropriately. 

Collecting precise data on the isotopes of 
N and O in the solar wind was a particularly 
high priority Genesis science objective. For N and O this posed a special challenge because of the 
ubiquitous nature of atmospheric and organic contamination during manufacture and preparation of 
materials. For this reason. Genesis used a parabolic electrostatic concentrator (Figure 1-3), in 
addition to the flat arrays, to collect C, N, and O. This concentrator was an electrostatic analog of an 
optical reflector telescope and increased the signal-to-background ratio on the collector target. The 
solar wind ions impinging on the 40-cm aperture of the electrostatic concentrator were first reflected 
and then focused by the electric field onto a 6-cm-diameter target. 





Ion Trajectories 


Entry Grids 


6 cm dia 
Target 


Mirror 

Grid 


Grounded Grid 


Proton 

Rejection Grid 


Acceleration 

Grid 


Figure 1-3. Genesis parabolic concentrator 
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1.3.2 Sample Return Capsule and Spacecraft 

The SRC was designed with minimal requirements when compared to traditional entry vehicles. It 
required no active attitude control, propulsion, or active thermal control. The SRC housed the 
science canister and provided for its safe return. The heat shield configuration, a 60-degree half-angle 
cone, provided for a highly stable attitude throughout descent. The low ballistic number of the SRC 
resulted in a subsonic, low-dynamic-pressure parachute deployment environment. The mortar- 
deployed drogue parachute pulled off the backshell and deployed the main parachute. The SRC 
avionics included lightweight battery-powered tracking aids to support SRC recovery at UTTR. The 
Genesis spacecraft is shown in Figure 1 -4. 
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Figure 1-4. Genesis spacecraft 
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The Genesis spacecraft was designed to operate exclusively as a spinner to reduce the cost of 
mission operations. During sample collection, it was absolutely necessary to keep the spin axis 
pointed 4 degrees ahead of the Sun direction to account for the aberration of the solar wind flow 
(caused by the spacecraft’s orbital motion). In this way, the spin axis, collectors, and monitors 
continuously pointed into the average direction of the solar wind flow. Attitude control was provided 
by thrusters (no reaction wheels are required). Attitude knowledge was provided by redundant star 
trackers (no inertial measurement units are needed). Because the Genesis spacecraft 

* was a spinner, 

* did not move in and out of Earth’s shadow, and 

* was flown predominantly at 1.0±.O1 AU from the Sun, 

the thermal variations that normally drive spacecraft temperature control were minimal and could be 
achieved with passive thermal design. However, because the collector arrays and the concentrator 
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were constantly exposed to the Sun, and because of the science requirement to keep the collectors’ 
temperature below 200°C to prevent migration of the imbedded ions, the design of the SRC and 
canister was tailored to accommodate the thermal limits and avoid introducing anv contaminants. 

Spacecraft power was provided by two non-articulated 1.5-m 2 (each) solar array panels. The 
265 W (end of life) produced by the panels represented a margin of nearly 41% over spacecraft 
requirements. Also included was a NiFT secondary battery to provide energy 7 during the brief and 
infrequent trajectory' correction maneuvers. 

The Genesis open-architecture Command and Data Handling (C&DH) subsystem was based on 
a RAD 6000 processor. It featured redundant processors, uplink/ downlink, input/output, and 
payload /attitude control functions. The C&DH subsystem provided significant margin on 
throughput, command rates and telemetry 7 rates, as well as 1 Gbit of science and engineering data 
storage. This eliminated the need for external solid state or tape recorders. 

The telecommunications requirements for Genesis were modest due to the constant close 
proximity to Earth (0.01 AU) and the low instrument data rate (note that the only instruments 
generating data were the solar wind monitors at <1 kbps). This allowed infrequent (no more often 
than weekly) communication cy'des with the Deep Space Network. 

1.4 Mission Operations 

Due to the need for precise navigation, tracking for the Genesis mission was driven by the 
acquisition of Doppler and range data. While specific coverage varied during different phases of the 
mission, the nominal coverage algorithm was at least 2 hours of two-way coherent tracking every 
other day. Science requirements to downlink instrument telemetry with at least one contact per week 
were accommodated within the coverage for navigation, and commanding occurred no more than 
once per week. 

Genesis payload, engineering, and navigation data were routed through the existing standard JPL 
multi-mission data capture system, utilizing a secure local-area network, to the dedicated Genesis 
mission database. Members of the Genesis flight team at JPL, LMA, and Los Alamos National 
Laboratory 7 (LANL) accessed the database as needed to execute their specific tasks. In the other 
direction, spacecraft command sequences were forwarded by the multi-mission control system 
through the Deep Space Network to the spacecraft. In all cases standard information transfer packets 
were utilized. 

A team from LMA maintained the health of the spacecraft platform. They downloaded 
engineering data from the mission database, conducted analyses to confirm proper operation, and 
generated command updates only when necessary (such as to conduct a maneuver). A team at ]PL 
was responsible for mission planning and assembling the integrated sequences of commands, 
ensuring that all science/ engineering/ ancilliary data were available both for analysis and for 
navigating the spacecraft. A small science team at LANL telemetered data from the solar wind 
monitors to ensure that the monitors and collectors were functioning correctly. 
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The SRC recovery phase of the Genesis mission was designed to utilize day-side entry to the 
UTTR site, with the opportunity to go into a 19-day parking orbit in the event of unfavorable 
weather conditions at UTTR. Factors such as navigation and maneuver errors at the final trajectory 
correction maneuver, coupled with uncertainties in the SRC and atmospheric conditions, resulted in 
an 84-km by 30-km recovery footprint, well within the dimensions of the UTTR site. 
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2. TECHNICAL INVESTIGATION 

On September 8, 2004, the Genesis sample return capsule returned to Earth. The SRC was closely 
tracked, first by radar and then by visible cameras. Long-distance cameras clearly showed that the 
parachute had not deployed properly. The SRC struck the Earth at 15:58:52 (Universal Time 
Coordinated, or UTC). 

Within an hour of the landing of the Genesis sample return capsule, both LMA and JPL team 
members began drafting a Drogue Not Deployed Mission Fault Tree (DND-MFT) that would guide 
the inevitable failure analysis efforts. The fault tree began as a list of possible causes, ordered by 
plausibility of occurrence, and grew to a catalog of about 80 so-called leaf faults. 

2.1 Proximate Cause 1 : Drogue Not Deployed (DND) 

A comprehensive Mission Fault Tree (MFT) was maintained by the Genesis project (with oversight 
from the Mission Assurance Manager) for the duration of Phase C/D (development) and periodically 
updated during Phase E (operations). This fault tree contained hundreds of entries covering most 
launch — and all post-launch — mission events. And, while it enumerated SRC entry failures (including 
G-switch failures), failure to initiate timely ejection of the drogue mortar (and related events) was 
considered a double fault and therefore highly unlikely. Since systemic hardware design errors were 
presumed to have been mitigated during the project’s development phase, the MFT was only used to 
provide input to the more detailed fault tree starting at the “Drogue Not Deployed” branch. 

The DND-MFT was maintained initially by LMA before being handed over to the Mishap 
Investigation Board/Failure Review Board (M1B/FRB) team for maintenance and update. The fault 
tree ultimately used and maintained by the MIB/FRB was an indentured (hierarchical) spreadsheet. 

Every’ effort was made to ensure the fault tree was comprehensive and well-organized. As tests, 
inferences, analyses, and/or inspections were carried out, branches of the tree could be ‘pruned’ 
when those branches were ruled out as likely causes. Despite an early announcement concluding it 
was highly likely that the G-switch orientation was a credible root cause, it was essential to keep the 
fault tree sufficiently broad so that other, less-obvious possible causes were not overlooked (or at 
least be designated as unlikely). 

Once the details of the fault tree were established, closure plans were developed that described 
how each branch or a leaf of the tree could be closed (i.e., determined to be or not to be a candidate 
proximate cause). Sub-teams of MIB/FRB personnel, with close cooperation from the Genesis JPL 
and LMA team members, took ownership for close-out plans of specific branches. These plans 
consisted of recommendations to perform a specific analysis (e.g., reconstruction of the incoming 
trajectory 7 ), inspections (e.g., X-rays of the residual hardware), and tests (e.g., operational verification 


1 The following definitions are found in NASA Procedural Requirements for Mishap Reporting, Investigating, and 
Recordkeeping (NASA NPR 8621.1). Proximate Cause: The event(s) that occurred, including any condition(s) that existed 
immediately before the undesired outcome that directly resulted in its occurrence and, if eliminated or modified, would 
have prevented the undesired outcome. Also known as the direct cause(s). Root Cause: One of the multiple factors 
(events, conditions, or organizational issues) that contributed to or created the proximate cause and subsequent 
undesired outcome and, if eliminated or modified, would have prevented the undesired outcome. Multiple root causes 
typically contribute to an undesired outcome. 
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of the engineering model SRC avionics). MIB/FRB sub-teams scrubbed the plans for redundancy 
and prioridzed the work associated with each plan. The fault tree master spreadsheet was then back- 
annotated with references to the (approved) closure plan for each branch and leaf. 

After the plans were approved, procedures were written, where necessary (e.g., inspection and 
handling procedures that affected the residual hardware were essential). A single point of contact 
within the MIB was established to coordinate all inspections and analyses. As new observ ations were 
made, additional inspections, tests, and analyses were requested. The entire process took place over 
the course of about 8 weeks. Once completed, a close-out record was generated that attested to the 
probabilitv that a branch or leaf was a likely cause. A leaf (or branch and all of its leaves) could be 
assigned a rating of “closed credible,” “closed not credible,” or “closed unlikely.” All 80 leaves were 
either closed or combined into higher-level branches, as summarized in Table 2-1. 


Table 2-1. Fault Tree Close-Outs 


Combined with higher branches 


13 

Closed as Not Credible 


47 

Closed as Unlikely 


19 

Closed as Credible 


1 

Total 


80 


2.2 Fault Categories 

All faults were classified under one of four branches (Figure 2-1): 

1. Electrical Power Failure in SRC 

2. Avionics Failure in SRC 

3. Harness / Connector Failure 

4. Drogue System Failure 


Electrical Power Failure in SRC 



Figure 2-1 . Top-level faults shown as a fishbone diagram 


These four branches and the first sub-tier branches of the DND-MFT are presented as an 
indentured spreadsheet in Table 2-2. The MIB and FRB drew upon this spreadsheet extensively 
because of its ease of use and completeness. In general, each branch contains one or more sub-tier 
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branches or leaves, yielding a total of 80 faults (at the bottom of the hierarchy). The branches were 
assigned one of four values: “credible,” “unlikely,” “not credible,” or “combined with higher 
branches.” Only sub-branch 2.1 (“G Switch Did Not Activate”), leaf 2.1.1 (“Improper Orientation 
of G-Switch,” see Appendix A, Table A-la), was closed as credible. All other faults were deemed 
unlikely or not credible based on the post- failure evidence. 

For example, extensive analysis of the batten,’ pre-landed (launch and cruise) environments and 
post-failure analysis of the batteries, as well as avionics design and hardware inspections and tests, led 
to the conclusion that an “Electrical Power Failure in the SRC” was an unlikely cause (Section 3.2.1). 
Inspection of the design and as-built configurations of the avionics led to the elimination of other 
SRC avionics faults as credible failures, but did uncover the G-switch as the root cause (Section 
3.2.2). Post-failure inspections of harnesses and connectors led to the conclusion that the 
“Harness/Connector Failure” was unlikely (Section 3.2.3). Likewise, post-failure inspection quickly 
determined that “Drogue System Failure” was unlikely (or not credible) based on the observations 
that neither string of the drogue mortar pyros (NASA standard initiators (NSI)) had been fired. 


Table 2-2. Top-Level Faults 


No. 

Fault Type 

Credible 

Assigned Value 
Unlikely Not 

Credible 

1.0 

Electrical Power Failure in SRC 


X 


1.1 

Spacecraft bus sequence wrong 



X 

1.2 

Power state of circuits incorrect (relays) 


X 


1.3 

Power electronics design flaw 



X 

1.4 

Power disconnected on entry 



X 

1.5 

Entry thermal environment effects 


X 


1.6 

Inadequate battery voltage/power for avionics or pyros 


X 


2.0 

Avionics Failure in SRC 

X 



2.1 

G-switch did not activate sequencer 

X 



2.2 

Low-pass filter wrong time constant 



X 

2.3 

Reset on timer trigger 


X 


2.4 

Oscillator frequency incorrect 



X 

2.5 

Latent fault due to high-voltage discharge 



X 

2.6 

Pyro ballast (current limiting) resistors damaged in test 



X 

2.7 

Timing of "And"ed circuits out of phase 



X 

2.8 

Timer jumpers wrong causing excess delay 



X 

2.9 

EMI disrupted circuit operation 



X 

2.10 

Environment effects on avionics 


X 


2.11 

Pressure transducer interferes with fire command 



X 

2.12 

Avionics shorted (internal) 



X 

2.13 

Fuses opened 



X 

3.0 

Harness/Connector Failure 


X 


3.1 

Circuits not connected to pyro 


X 


3.2 

Harness open 


X 


3.3 

Harness shorted 


X 


4.0 

Drogue System Failure 


X 


4.1 

Pyro failed 


X 


4.2 

Drogue parachute did not deploy 



X 
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This systematic approach for elimination of all possible causes is the foundation for all 
conclusions reached by this report. Appendix A contains a complete list of the faults that were 
enumerated by the FRB and M1B. 

2.2.1 Fault 1: Electrical Failure in SRC 

A key factor that quickly emerged in the investigation was the ability’ of the Genesis SRC battery' to 
deliver enough energy’ to fire the pyrotechnics. The SRC battery’ experienced well-documented and 
unplanned thermal excursions while unused in flight. This history fueled early speculation that the 
battery mav have been unable to deliver the required energy’ to initiate the pyrotechnics during entry’. 
Observations made by the team examining the battery’ include: 

* Before SRC release from the spacecraft, the depassivation of the batteries was completed 
and the data received indicated that the batteries were in good health. The extensive testing 
program tracking battery’ temperature provided confidence that the flight cells had the 
capability’ to support the Genesis Entry’, Descent, and Landing (EDL) sequence. No other 
data was received from the SRC after the cables were cut. 

* At the impact site, sulfur dioxide (SO 2 ) was sensed within about an hour of impact. This 
indicated that at least one of the 1 6 cells in the battery’ had vented, or opened up, discharging 
its contents. No SO 2 was sensed at any other time in the handling of the battery’ despite 
continuous use of SO? monitors when the battery’ was not in a closed container. 

* There are two 8-cell batteries. At UTTR, within hours of the impact, and later at JPL, battery’ 
voltages always read less than 3 V. A battery of this type is considered fully discharged when 
the voltage drops below 8 V during discharge. A fully discharged but otherwise healthy cell 
will still deliver an open-circuit voltage of ~2.9 V, resulting in an expected battery’ voltage of 
>20 V. Such a low voltage (3 V) is usually indicative of multiple cell ventings. 

■ Upon opening the battery’ case, the Eccofoam potting was observed to have been generally 
heated and burned (blackened) in specific areas. Based on the color patterns, the heating was 
most intense near the center cells, with very’ little heating near the corners of the battery’ case. 
The burnt areas were strips that coincided with the tabs connecting one cell to the next. 
Additionally, the insulation between the tabs and the tops of the cells was blackened. 
Evidence of this burning was visible on the top every’ cell. With further disassembly, the 
electrical components of the battery’ were found to be operational. The temperature sensors 
still matched the output of a pristine device and the back-current blocking diodes still tested 
properly. However, the mounting boards for the diodes showed darkening consistent with 
excessive heating under the body of the diode. 

■ At the cell level, all 16 cells were found to have vented. The cells are manufactured with two 
safety’ vents designed to open and relieve excessive internal pressure. This prevents the cell 
from releasing high amounts of energy’ and unpredictably opening when overheated. The 
manufacturer expects one vent to open if the cell is heated, to greater than about 100°C, 
particularly by an external short. This would be considered a normal venting episode. Both 
vents will open if the heating rate is excessive, such as by an internal short. This would be an 
abnormal venting episode. In the case of the SRC battery, none of the cells were observed to 
have both vents open, suggesting that all of the cells vented in a normal and similar manner. 

* Finally, external to the SRC battery’ box, areas on the battery cable exhibited melting (and the 
melting appeared to have occurred in air). This is the battery cable that carried the hot and 
return wires for both batteries that make up the SRC battery’ (National Transportation Safety’ 
Board (NTSB) Report, Appendix C). 
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2. 2. 1.1 Background: Likely Sequence of Events 

The depassivation data, post-impact temperature sensor operation, and the batten -testing program 
all support the conclusion that the batten' was ready to support SRC entry. It is unlikely that the SRC 
battery' failed early in the entn T sequence. 

It is likely that the remaining batten energy was discharged into electrical shorts after impact. 
High-current shorts were developed through a short in the batten cable. The battery self-heated at 
high discharge rates (up to 50 A), which led to venting of at least 1 cell per 8-cell string. The 
manufacturer expects the cells to vent within 1 to 4 minutes when the batten terminals are shorted 
together. Normally, one vented cell results in high string impedance that stops the high-rate 
discharge. Thus, usually only one cell in a string would be expected to vent. Yet we obsened that all 
the cells were vented. We postulated several options that could result in all cells venting, including: 

* Environmental headng (whole battery >10() Q C) 

s Exothermic chemical reactions (especially with the potting) 

18 Internal shorting of each cell 

® External shordng of each cell 

Environmental headng is an unlikely cause since SRC temperatures stayed within expected limits 
during entry 7 . In addition, the discoloration pattern on the Eccofoam pointed to an internal heat 
source. No evidence was found for chemical reactions in the potting material, so that source of 
heating is also unlikely. Shordng of the cells internally is certainly a possibility given the violence of 
the impact. However, since only one cell vent opened on each of the cells and no internal anomalies 
were observed in the cell X-ra\ 7 s, internal shorts were considered unlikely. 

The likely cause for all cells to vent is external shordng. The observed “burning” of Eccofoam in 
the vicinity of the tabs and the blackened insulation under the tabs leads to the conclusion that the 
tabs were very 7 hot. Eccofoam heated in air was observed to turn black at about 200°C. Calculations 
show that nickel tabs could reach 500°C within seconds at short-circuit currents. As built, the 
positive tab from the cell top was tightly strung over the edge of the negative case cell and attached 
to the sidewall of the adjacent cell in the string. The manufacturer reported that they pulled the tabs 
tight to make sure that any cell movement would cause a tab to break, thus effectively working as a 
mechanical fuse in the case of a severe impact. The battery 7 did not include a fuse or any other device 
to limit short-circuit battery 7 current. 

The insulating materials between each tab and the cell cases were shrink wrap and mylar tape, 
polymeric materials that melt at low temperatures (<100° and 130°C, respectively 7 ). It is likely that the 
hot tabs melted through this insulation well before the cells would have discharged enough to over- 
heat and vent. With the insulation gone, the positive tabs shorted directly to the negative case for 
each cell. Each cell therefore developed an individual external short that discharged each one at a 
high rate until individually they vented due to self-heating. 

Therefore, our conclusion is that an external short at the battery 7 level resulted in a high-rate 
discharge, causing overheating of the positive tabs of each cell, shorting the tab to the cell’s case. 
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This dead short at the cell level resulted in evert' cell venting within a few minutes of the initiating 
external short. A detailed report of the batterv investigation can be found in Appendix B. 

Consideration 

Where there is no battery-level current-limiting device, such as a fuse, it would be helpful for batten 1 
manufacturers use higher temperature insulation between the tabs and the cell. 

2.2. 1.2 Conclusion 

Based on the scenario described above, it is likelv that the battery energy was discharged post-impact, 
and enough energy was available to overheat and vent each cell. Therefore, the battery contained 
enough energy to power the SRC entry sequence. The battery was uninvolved in the mishap. This 
item, “Electrical Power f ailure in the SRC,” was closed as unlikely. 

2.2.2 Fault 2: Avionics Failure in SRC 

The two avionics units, or boxes, contained the drive electronics that controlled the extension and 
retraction of the solar wind collectors (shown in Figure 2-2). Each box was a block-redundant 
electronic assembly containing three electronics boards, or circuit cards. Power came from two 
independent batteries housed in a single-assembly battery box. The avionics units were controlled by 
commands from C&DH subsystem software; they did not themselves contain a processor or run 
software of any kind. 




Heat Shield 
Structure 


GPS Receiver 


Canister 


Latches (4) 


Avionics 

Boxes 


Connector l/F 
Bracket 


C-C Heat Shield 


Battery 


Figure 2-2. SRC mechanical assembly 
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During the return trip to Earth, after achieving the correct orientation, C&DH issued commands 
for the SRC to begin operating on batten’ power. Then, after separation from the Genesis spacecraft, 
SRC avionics was left entirely in control of onboard SRC mechanisms. G-switches were to detect the 
deceleration of the SRC as it entered the atmosphere, initiating timers designed to trigger the three 
critical events calculated to ensure a safe return of the SRC to Earth — drogue chute deployment, 
drogue cable cut, and main chute deployment (Table 2-3). Final-approach events and the expected 
landing timeline for the nominal mission are illustrated in Figures 2-3 and 2-4, respectively. 


Table 2-3. EDL Pyro Event Timeline 


Event 

Description 

Purpose 

Pyro Count 

Time 

1 

Drogue Chute Deployment 

Slow SRC following atmospheric entry 

2 

15:54:53 

2 

Drogue Cable Cut 

Release drogue chute in preparation 
for event #3 

2 

15:56:20 

3 

Release DACS 

Release main chute 

6 

15:59:07 



Figure 2-3. Spacecraft final TCMs and SRC release event timeline 
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TCM-11 Initiate Release 



Figure 2-4. Genesis SRC Earth-entry timeline 


Table 2-4 contains the actual mission timeline and shows when the Drogue Chute failed to 
deploy, resulting in a vert’ hard impact with Earth at 15:58:52 ETC. Figure 2-5 illustrates the 
expected magnitude of the deceleration force and the timeline for subsequent pyro events. All three 
pvro event times were contingent on detecting the initial deceleration event. 


Table 2-4. Genesis SRC EDL Timeline (Actual) 


Event 

Entry Time 
(mm:ss) 

UTC 

(hh:mm:ss) 

Altitude 
(MSL, km) 


Capsule Separation 

El-4 hours 

11:52:47 

59471 


Entry Interface 

00:00 

15:52:47 

135 

22 

Sensible Atmosphere 

00:23 

15:53:10 

102 

38 

3-g Point (Increasing) 

00:45 

15:53:32 

75 

37 

Peak Heating 

00:59 

15:53:46 

60 

30 

Peak Loads 

01:10 

15:53:57 

52 

21 

3-g Trigger Point 

02:01 

15:54:48 

35 

2.2 

<Drogue Chute Deploy> 

02:06 

15:54:53 

33 

1.8 

Hi-Speed Tumble 

-03:23 

~ 15:56:10 

17 

0.5 

Impact 

~ 06:03 

~ 15:58:52 

1.3 

0.2 

<Main Chute Deploy> 

06:20 

15:53:32 

7.4 

0.15 

<Air Snatch> 

22:07 

15:53:32 

2.4 

0.01 

<Touchdown (Backup)> 

26:22 

15:53:32 

1.3 

0.01 


Anomaly events in italics 
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Figure 2-5. SRC deceleration profile and pyro event timeline 


Avionics Events 

Figure 2-6 is a block diagram illustrating the redundant SRC avionics boxes, batten’ power sources, 
EDL pvros, and C&DH subsystem. Required functions were carried out by the three circuit cards 
housed in the avionics boxes, each card dedicated to a separate activity (Figure 2-7). Circuit cards 
communicated with each other via a backplane and communicated with the spacecraft C&DH by 
signals passed through the front panel connectors. The main functions of the avionics units were: 

m Power (including control and power for motors, batteiy depassivation, and final battery operation; see Figures 2-8 

and 2-9). The Relay module was responsible for SRC power, conditioning the LiSCb batten,' 
before SRC separation, and then sending commands to switch power to SRC batteries. Note that 
although the G-switch sensors were located on the Relay module, their functionality was closely 
related to the Event Sequence Timer (EST) module. Contacts on the G-switches went directly to 
the backplane and were passed to pins on the EST module. An X-ray of the G-switch dearly 
shows the proof mass and the spring that determined the sensitivity of the switch. The direction 
of applied force required to close the switch is also easily discernible (Figure 2-10). 

® Event Sequence Timing for EDL events. This function was allocated to the EST module. EST 
electronics were responsible for initiating the pyros at predefined times after deceleration was 
detected. The block diagram in Figure 2-11 shows both SRC Avionics units side by side — SRC-A 
on top and SRC-B on the bottom — clearly illustrating the application’s redundancy. Each 
Avionics unit had two G-switches that fed separate low-pass filters and timer circuits on the EST 
module. Both G-switches had to indicate a positive detection to initiate a pyro event, a design 
feature that prevented premature firing of the pyros. The figure shows both timer outputs 
‘AND-ed’ together. The ‘AND’ condition must be true to fire the pyros from that SRC string. 
This ‘AND-OR’ architecture is common to many spacecraft pyro designs. 
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The EST electronics card comprises four functional blocks: low-pass filter, counter, timer 
decodes for each event, and FET drivers to trigger the pvros. The G-switches each feed into 
low-pass fdters. When a G-switch closes, the input to the low-pass filter is pulled high. The low- 
pass filter only allows signals through that persist for longer than ~500 ms, effectively 
eliminating accidental inidation of the timers due to glitching or g-switch chatter. The two low- 
pass filters feed into two independent dmer circuits. These timers use a 1 0-11/ timing source to 
measure the passage of time (Figure 2-12). They are designed to not inidate a countdown undl 
the g-switch indicates that it was open after having been closed for more than 500 ms. By doing 
this, the time for the various pyro events was ued to the falling edge of the deceleration curve 
illustrated in Figure 2-5. Once the counters began counting they would continue counting. The 
output of the counter chain went into a decode tree that was used to select the 3 times required 
to fire the pvros idendfied in Table 2-3 (see also Figure 2-12). The cross-coupling of the two 
timer branches precluded firing a pyro before both chains indicated the pyro should be tired. 

R Motor control topic and drivers to extend and retract the sample surfaces. This function was allocated to the 
Motor Drive Electronics module and had no role in the EDL timeline. 



Figure 2-6. Spacecraft block diagram and Interface diagram 
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Figure 2-7. Location of circuit cards in an avionics box 
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Figure 2-9. G-switch location in relay module 



Figure 2-10. G-switch views; X-ray shows mass and spring 


The Forensic Process 

Shortly after the mishap, I At A engineers identified the proximate cause of the failure in less than a 
week. The forensic evidence indicated that the first pyro event had not occurred (i.e., the drogue 
chute had not deployed). The list of possible common mode failures that could affect both avionics 
units was small. LMA engineers quickly identified the improper orientation of the G-switch as a 
simple common fault in both redundant avionics units that could explain the entire failure. 
Examination ot the as built relay module indicated that this was indeed what had happened. 
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G switch test 


Ground 



Figure 2-1 1 . EST block diagram 



Figure 2-12. EST flow diagram 


JPL and the MIB spent a significant amount of time identifying the root causes of the failure and 
making sure the failure analysis was comprehensive. This was accomplished by developing and 
refining a fault tree that could be used as a road map for exploring the complete constellation of 
possible failure causes, as well as offer an explanation for some of the causes. There were 35 fault 
tree items. Refer to Appendix A for the complete Genesis Fault Tree. 
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This approach was important because 

* The failure cause was not unequivocally proven 

* The failure cause did not rule out other contributing faults 

* A similar mission with essentially the same EDL system (Stardust) is concurrently making its 
way back to Earth 

After helping to refine the fault tree, the SRC Avionics sub-team spent most of their time 
focusing on branch 2.0, “Sequencer Did Not Function.” This branch contained the leaf pertaining to 
the possible incorrect installation of the G-switches. The investigation was guided by three questions: 

/. Could we easily prove that the G-switches wen improperly installed- — not just from engineering drawings, hut from 
objective evidence of the as-built unit ? 

Answer. X-rays of the Engineering Design Unit clearly showed the G-switches to be installed in 
the opposite direction they should have been, given the expected forces on the SRC (see Figure 2- 
13). This was verified by a visual inspection after the surviving flight SRC unit was disassembled. 

2. Was there any reason to believe the G -snitches should have been activated by ARC tumbling, even though improperly 
installed ? Failure to open at this juncture, assuming the design parameters indicated that this was 
likely, would have pointed toward another failure cause lurking behind the first obvious failure. 

Answer Using visual imagery, analvsis of the forces experienced by the G-switch after the SRC 
started to tumble proved them to be insufficient to trigger the parachute deployment. This eliminated 
concern that G-switch orientation was masking a more subtle problem in the SRC. 

3. Was there any reason to believe the G-snitch design would not have worked had the G-switches been properly 
oriented ? Some of the branches in the fault tree cast doubt on the attributes of the G-switch when it 
was operated in the Genesis environment (e.g., the SRC capsule was spinning and the deceleration 
vector was not aligned with the axis of the G-switch). 

The answer to the final question was deemed unlikely. The FRB consensus was that any question 
in this area was really a feed-forward issue that should be answered by other missions using this same 
design (i.e.. Stardust). 

2.2.2. 1 Test Findings 

Avionics Unit 1 (AU1, referred to as Avionics Unit A by the MIB), located near the battery, showed 
minimal visible damage and was relatively intact. AU1 was disassembled, inspected, and photo- 
graphed 2 . During removal of the boards, it was verified that the G-switches were indeed 180 degrees 
out of phase with the atmospheric acceleration force on the spacecraft. Avionics Unit 2 (AU2), 
located near the GPS beacon, sustained a large amount of impact damage. 


' Testing and inspection of AU 2 was severely limited due to impact damage. It was possible to verify the 
Pyro Resistors on AU2; there was no indication of overstress. It was also possible to verify the timing 
resistors on AU2 and all were installed as expected. 
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Figure 2-13. X-Ray of board indicating that installation of G-switches matches board layout drawing 


Continuity Testing 

Continuity tests were performed power-to-ground and power-to-power on all power and ground 
nets (including secondary voltage regulator outputs), as well as on the Relay and EST cards. 
Continuity tests were also performed pyro-to-ground and pyro-to-pyro on all the pvro outputs on the 
EST card. These tests found no unexpected shorts. Fuses on the EST and Motor control card were 
checked for continuity. There were no open fuses. 

Continuity tests were performed on the power relays in an attempt to determine relay state; 
however, the results were ambiguous and indicative of relay damage. X rays of the relays also proved 
hard to interpret, but suggested the flight relays had most likely been damaged due to impact. The 
LMA relay failure analyst reported that relays are fragile and dropping them even 3 to 4 feet onto a 
bench will damage them. 
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Pyro Ballast Resistors 

Pyro ballast resistors were checked for physical size and ohmic value and visually inspected for signs 
of overstress. The 0.1°/) precision resistors were the correct physical size and there was no indication 
of overstress. Variations between measured values and specification on the order of 3% were 
observed; however, these variations are attributable to the measurement method. The measurements 
were taken by probing the resistor leads through the conformal coat using a simple 2-wire hand-held 
digital multimeter. This was not a precision measurement method and was not capable of resolving a 
1.6 Q resistance to within 0.1%. 

Timing Resistors 

Timing resistor configuration was verified visually and using a continuin' meter. There was a missing 
resistor that resulted in an open to pin 9 of AND gate U37 on the EST Card SN 001 . The missing 
component was in the drogue-harness-cut timing circuit B. The correct state ot the input was 
supposed to be logic high. A logic low on the input would disable the circuit and result in loss of the 
drogue-hamess-cut pyro fire signal from AU 1 . 

Conformal coating could be seen over the solder pads. The missing resistor could not have been 
sheared off at impact without damaging the conformal coat. Inspection of “as-built” drawings 
confirmed the resistor was missing before launch. The relay pads were examined by LMA failure 
analvsts to determine if the resistor had ever existed. There was evidence that a resistor had been 
removed from the pads. 

The missing resistor was not detected in functional tests. The board passed both board-level and 
Assembly, Test, and Launch Operations (ATLO) functional timing tests in spite of the missing 
component. The impact of the missing component was a loss of redundancy for the drogue-harness- 
cut function due to the possibility of timer malfunction from AU 1 . The missing resistor would not 
have resulted in failure of the drogue to deploy. 

Additionally, EST S/N 001 from AU 1 was functionally tested post-flight (see Appendix G) to 
verify operation of the SRC-AU EST board. The board successfully completed two sets of pyro 
signal timing and output voltage tests, which included six drogue-harness-cut timing tests. The board 
passed all drogue-hamess-cut timing tests. It is suspected that parasitic leakage may have resulted in 
the open input floating high (correct state). 

2. 2. 2. 2 Conclusion 

The avionics inspection did not turn up any likely causes for the failure of the drogue to deploy other 
than the incorrect phasing of the G-switches. The successful test of EST Card SN 001 proved that 
the AU 1 EST card was fully functional during EDL (since it’s hard to imagine an impact somehow 
fixing a broken card). Thus, at least one avionics unit was fully functional during EDL, and, thus 
avionics failure could not have been a cause for failure of the drogue to deploy. The avionics unit 
inspection confirmed that the G-switches were phased incorrectly and would not have closed during 
normal EDL, thus resulting in the failure of the drogue to deploy. 
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2.2.3 Fault 3: Harness/Connector Failure 
2.2.3. 1 Thermal Protection System Inspection 

One explanation for a failure in the harness/ connector would be a breakdown in the Thermal 
Protection System (TPS). To determine the extent of TPS degradation, if any, a visual examination of 
the remaining TPS hardware was performed to determine if a failure of the TPS led to the 
malfunction of the parachute deployment system. This inspection was not intended to include any 
destructive tests of the materials. The JPL Failure Review Board supported the NASA Mishap 
Investigation Board in this effort. 

Forebody Heat Shield 

The forebody heat shield experiences the hottest temperatures on the spacecraft and is critical to 
protecting its internal components. The Genesis heat shield was made of a new material that 
incorporated a thin carbon— carbon composite outer shell with carbon insulation on the interior. 
Approximately half of the heat shield remained after impact, but a close visual examination showed 
no cracks, pinholes, or delamination of the carbon-carbon face sheets. As expected, the original 
thermal control coating was completely removed by entry heating, with only traces remaining on the 
curved, maximum-diameter region. Under magnification, the weave pattern of the carbon— carbon 
face sheet looked normal. Where visible, the internal carbon insulation was inspected and showed no 
sign of flow burn-through. 

Three retention and release (R&R) fittings, used to mechanically connect the spacecraft bus with 
the SRC during flight, penetrated the heat shield. They were potential pathways of hot gas ingestion 
into the spacecraft. All three R&R fittings were recovered: one intact in the recovered portion of the 
heat shield, and two broken out of the heat shield. Downstream of the intact R&R fitting, a darkened 
plume region caused by the hypersonic flow passing over the hole of the R&R fitting discolored the 
surface of the carbon-carbon bus. This discoloration was likely due to a combination of increased 
heating due to turbulence and erosion deposits from the exterior molybdenum fitting. The 
appearance was nearly identical to thermographic paint patterns seen during Langley Research Center 
wind-tunnel tests, which were conducted for the original design development. The narrow shape 
suggests a small angle of attack of approximately 1 to 3 degrees, well within pre-entry design 
expectations. The hole in the carbon skin for the molybdenum fitting showed some evidence of 
shoulder rounding on the downstream wall, and there was some rainbow discoloration on the 
interior of the carbon— carbon bus. This discoloration could be due to a number of causes: normal 
adhesive variation, normal skin leakage transporting surface contaminants, or hot gas penetration due 
to partial erosion or bus separation. If a hot gas penetration condition did exist, it was so small that a 
full burn-through was precluded — there was no other evidence of any flow between the face sheet 
and boss. Thus, any such blowby, although conjectural, did not compromise the heat shield system. 

The interior of the R&R fitting consists of a bolt-catcher can. There was noticeable black 
discoloration on the can that was thought to be a result of impact events causing electrical arcing of 
the Avionics Box A harness (see Appendix C). 
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Overall, inspection of the forebody heat shield showed no unexpected anomalies that would 
have compromised the integrity of the heat shield. Examination of the interior structure showed 
minor discoloration on some surfaces, but there was no evidence of hot gas ingestion, bum-through, 
or overheating. Most of the discoloration appeared to be consistent with UV exposure (the SRC was 
open for long periods of time during the science collection). 

Temperature strips that were attached to the inner structure read between 121 and 138°C. The 
TPS-to-structure interface, where the adhesive was located, has a design temperature limit of 250°C. 
The inner structure temperature where the temperature strips were located would naturally read 
approximately 20°C lower than this interface. 

Main Seal 

The main seal between the heat shield and backshell consists of two parts — an inner low-temperature 
seal and outer high-temperature seal — both bonded to the heat shield side with a silicone adhesive. 
Both seals showed significant fraying, especially on the impact side of the capsule. Presumably this 
fraying was due to the impact event, as there was no sign of any heat distress, melting of the exposed 
fibers, or blowby patterns that would have been introduced if the frayed fibers had existed during 
entry. At the locations where the main seals had been pulled loose from the carbon— carbon base by 
impact, the underlying adhesive looked uniform and clean with no signs of bum-through or blowby. 

Backsbett 

The backshell TPS consisted of SLA-561V, a flight-proven material with heritage extending from 
Viking to the Mars Exploration Rover. As was the case for the forebody TPS, approximately half of 
the backshell was recovered. The general surface appearance was as expected, with a smooth surface 
that showed no physical defects. The char band around the lower part of the backshell was fairly 
uniform, but was interrupted in a 4-inch-wide zone. This zone seems to have been a result of the 
disrupted flow' over the forebody R&R penetration. 

The interior of the backshell was inspected for evidence of hot gas ingestion or thermal distress. 
Most of the interior was still covered with the multilayer Kapton insulation blankets. These blankets 
and Velcro fasteners showed no sign of thermal distress. Some discoloration in areas on the structure 
appeared to have been from solar exposure. Overall, the interior of the backshell appeared to be in 
pristine condition. 

There were two remaining intact vent penetrations on the backshell. One was partially crushed 
from impact and was contaminated with mud. Neither vent showed any sign of hot gas penetration 
or thermal distress. In fact, no seals in the backshell showed signs of overheating. 

Temperature strips were still attached in locations on the inner structure and read between 71 
and 82°C for the upper biconic region of the backshell, which is the coolest portion of the SRC. The 
highest reading from temperature strips located on the lower biconic region, which is the hottest 
region, was 1()5°C. The TPS-to-structure interface, where the adhesive was located, has a design 
temperature limit of 250°C The inner structure temperature where the temperature strips w’ere 
located would naturally read approximately 20°C lower than this interface. 
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2.2.3.2 Conclusion 

In general, the visual inspection of the surviving TPS hardware and associated seals, vents, and 
penetrations showed no signs of hot gas burn-through or thermal distress. There appeared to be no 
anomalies of the TPS that compromised its integrity or performance. Preliminary temperature strip 
readings showed temperatures that were within design specifications. The post-entry surface 
characteristics of the forebody and aftbody TPS leads to the conclusion that the entry was nominal 
and that SRC tumbling did not occur during atmospheric entry 7 . In conclusion, there was no evidence 
of TPS failure. Inspection of the harness showed the cable was intact during re-entry. Thus, the 
harness/ connector failure was closed as unlikely. 

The participating NTSB member performed an analysis on a portion of the SRC harness that 
appeared to be shorted/charred. After. careful analysis, it was determined that the cable shorted in an 
oxygen atmosphere. This means that the cable could not have shorted prior to the pyrotechnics 
command for chute deploy; the short most likely occurred upon Earth impact. 

2.2.4 Fault 4: Drogue System Failure 

Inspection of the drogue chute system showed that the main mortar, as well as the pyrotechnics 
needed to fire it, were intact. Because the drogue chute deploy system was never initiated, this fault 
was deemed unlikely. 

Consideration 

A careful examination and evaluation of the Genesis parachute for long-duration exposure effects 
would be a prudent action for the Stardust mission. 

2.3 Discussion, Findings, and Recommendations 

The findings and recommendations from the Genesis Mishap Investigation Board are presented to 
enhance the safety and success of future missions. As will become evident, Genesis had a number of 
issues — all interrelated, all leading to the mishap. First and foremost was the failure of project 
management to set up systems engineering processes to perform the oversight and insight functions, 
including verification, required to manage the job. In order to put this discussion in context, 
however, it may be helpful to review key issues of critical importance to the project. 

2.3.1 Discussion 

The mission evolved in a climate of strict tight schedules and fiscal margins (see Appendix D). In 
order to meet the cost cap, a high-heritage design was proposed based upon the Stardust Sample 
Return Capsule and spacecraft bus. However, heritage hardware and software proved inadequate for 
Genesis, leading to deviations from the baseline mission design and jeopardizing Level I 
requirements. 

Background 

In preparation for the Preliminary Design Review, the project organized a peer tabletop review on 
the SRC (including the SRC-AU). The SRC-AU functionality' had grown beyond that of the Stardust 
design. Additional relays were required, as well as a new motor control board to drive the collection 
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arrays and contamination lid, driving the SRC- AU to exceed its volume and center of gravity (CG) 
constraints. This made it necessary to split the SRC-AU into two units. The SRC-AU was also placed 
normal to the heat shield to meet CG requirements (Stardust’s unit was horizontal, flush with the 
heat shield.) 

Concurrentlv, the primary designer for the SRC-AU left Genesis and a new Project Integrity 
Engineer (PIE) was assigned. The new PIE faced a number of pressing issues: the Motor Control 
Board (MCB) functionality did not fit within the allocation; the PPG A was 120% oversubscribed; it 
was unclear that the relays could be laid out; and the Event Sequence Timer (EST) board was under 
lavout constraints. The primary concern was the MCB board FPGA, because if it could not be made 
to fit within the allocation or functionally meet its requirements, then Genesis Level I requirements 
were in jeopardy. 

Several changes to the G-switches occurred during this time as well: the G-switch orientation 
was altered from normal to the Printed Circuit Board (PCB) to horizontal with the PCB; location was 
switched from the EST board to the relay board; and signals were routed through the backplane. 
These modifications were handled by the LMA design shop and contracted out for job shop work. 
The modifications underwent a peer tabletop review and were presented at the Critical Design 
Review (CDR). During CDR, it was stated that the SRC-AU would go through a centrifuge test to 
verify its functionality during descent. 

Consequences 

Design issues had a significant impact on the project schedule, leading to cutbacks of critical testing, 
oversight, and independent verification. Multiple changes and design issues caused deliver)' of the 
SRC-AU to ATLO to slip by 4 months. Because the deliver)’ was late, it was decided to drop the 
centrifuge test in favor of verification by analysis and inspection. No documented system engineering 
oversight was performed; neither was there concurrence on this decision. After temperature testing 
the SRC-AU as part of the testing regimen for ATLO deliver)’, the PIE decided a continuity' test was 
needed. The PIE, along with LMA Mission Assurance, developed a “quick-lift” test to verify- that the 
G-switches made contact and that all cabling and backplane signals were contiguous. This test was 
not intended to be a performance test that verified G-switch orientation. Thus, the SRC-AU was 
delivered to ATLO without a complete performance test, without independent verification by 
analysis/inspection that the G-switches met the implementation requirements, and without lessons 
learned from Stardust integration and testing. 

Other factors 

Concurrent with these events, the second of the Mars failures occurred. In December 1999,JPL’s 
Systems Management Office, under direction from NASA and JPL senior management, set up a red 
team to review the readiness of Genesis for launch. The red team chair developed a detailed plan and 
objectives that were reviewed and approved by JPL senior management. Eleven sub-teams were 
formed that spent 2 days reviewing material, 1 to 1-1/2 days with their counterparts on Genesis 
(Telecom, C&DH, Electrical Power Subsystem, Thermal, etc.), and 1 day preparing a report that was 
briefed to the red team lead and the other sub-team leads. These inputs were then assimilated into 
one report that was briefed to the Genesis project and JPL management. After the initial release of 
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findings, an EDL sub-team review was held. This review was performed quickly and late in the 
review cycle, focusing mainly on aerodynamic issues, and uncovered no substantive findings. 

The Genesis project at this time was responding to the Mars Failure Board recommendations, 
the red team findings, and a slip in launch date. The project received S17M additional dollars to 
respond to these findings and the launch slip caused by conflicts with Mars Odyssey. 

2.3.2 Findings 

These are the root and proximate causes of the mishap, as identified by the MIB and FRB. Specific 
recommendations and contributing factors are included in the following sections. 

* Systems Engineering 

* Project Management 

* Heritage 

* Test As You Fly 

* Red Team Reviews 

2.3.2. 1 Systems Engineering (Checks and Balances) 

Background 

The core of program management successes are due to the formal systems engineering checks and 
balance processes, usually managed under the functional lead of systems engineering and a chief 
engineer. During development, the JPL Genesis project established a project management concept 
that was missing penetrating systems engineering checks and balance systems. JPL was responsible 
for the requirements and LMA was responsible for the flowdown of the requirements and the 
development, design, and test of the hardware/software to verify requirements. There were no 
formal JPL Responsibility, Accountability, and Authority (RAA) process controls over LMA. The 
following traditional systems engineering checks and balances were missing, understaffed, or 
improperly applied: 

* Oversight/ Insight Inadequate numbers of systems engineers were assigned to both JPL 
and LMA project management teams. JPL systems engineers were not given penetrating 
oversight into LMA or accountability for any hardware, systems, or subsystems. Concerns 
expressed by JPL systems engineers, especially those regarding inadequate oversight and 
testing, were not dispositioned. The JPL Development Project Manager did not implement a 
penetrating systems engineering process and chose not to assign individual JPL responsibility, 
accountability, or authority to subsystem hardware, software, or documentation efforts. 

* Verification Matrix. A key systems engineering responsibility is ensuring that the Test 
Verification Matrix verifies the requirements. The high-level requirements were developed by 
JPL. LMA developed the flowdown to subsystem requirements and the Test Verification 
Matrix for the flight system. However, JPL or LMA systems engineers never (either 
independendy or together) verified that the tests (either designed or implemented) verified the 
requirements. In addition, there was no JPL independent assessment or data review of the 
close-out of verification items. 
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* Phasing Testa Due to limited systems engineering support, the Phase Test Plan was not 
reviewed for completeness. The plan included standard attitude control functions, but not 
unique non-attitude control functions (like the gravity switch). Also, because the G-switch 
was part of the SRC-AU and not part of the attitude control functionality, this oversight was 
not caught. The deletion of the centrifuge test was not recognized as a phasing verification 
test, but as a design performance issue. 

* Data Review/ Change Control. In the absence of formal requirements to approve LMA 
documentation (e.g., test plans, changes to documentation, material substitutions, supplier’s 
material/test changes), JPL checks and balances did not occur. For example, while JPL could 
participate in LMA design and documentation reviews, JPL did not have a veto right or the 
ability to direct LMA on what types of changes were required to be presented at a Change 
Control Board. The decision to delete the centrifuge test was made at a local level — JPL 
systems engineering or project teams had no apparent knowledge of it. This is a clear 
indication of pushing the decision as low into the organization as possible, but without the 
oversight to verity the rationale of the change. Mandating change control for mission-critical 
events might have been a fail-safe process to catch the test deletion. 

JPL’s specific knowledge of an issue came via LMA at weekly meetings. Problems were 
tracked and managed separately at JPL and LMA. LMA used a fairly standard aerospace risk 
management approach, which combined issues, problems, and risks. LMA provided this 
monthly to JPL, which then sorted LMA’s input into two categories — problems and risks. 
These risks or problems were statused separately in monthly reviews. 

Recommendations 

R1 Ensure that JPL is involved in all program and system verification changes. Individual 
verification of all changes to plans, designs, tests, material substitutions, or implementation 
processes is critical to ensure systems performance is not jeopardized. 

R2 Assign JPL mission phase system engineers for critical mission events. Such critical 
events as launch, orbit insertions, aerobraking, and EDL should have mission mode system 
engineers. Their primary role is to ensure that crosscutting functions are verified. They should 
be boundary and subsystem independent, following the design to its conclusion. The system 
engineer should reside at the appropriate location in the system engineering team to facilitate 
and resolve crosscutting issues. 

R3 Develop an incompressible test list and monitor it for completeness. Upon completion 
of the development activity, the systems engineering team should determine which of those 
items in the verifications matrix must be completed by test. This list could be refined to 
include only those critical crosscutting systems tests that demonstrate robustness of the 
system as a whole. Examples of such tests are phasing, reboot, and safe hold. 

R4 Use a common risk management system across the project. Common definitions for 
risk, problems, and issues must be agreed on early and placed in the Risk Management Plan. 

A clear reporting process from a contractor up through JPL should be defined and 
documented in the Risk Management Plan. 


30 


Genesis Failure Investigation Report 


Technical Investigation 



2. 3.2.2 Project Management 

Both JPL and LMA project management had deficiencies. This section describes the key deficiencies 
of each. 

JPL Project Management Background 

The JPL Development Project Manager delegated the actual building and testing of the hardware and 
software to LMA without identifying and agreeing on systems engineering checks and balances 
processes. The JPL Program Manager did develop and document the requirements through the 
systems engineering team, but did not develop or approve how the requirements were to be verified. 
Basically, JPL’s responsibility ended at Level II requirements, and LMA managed the 
hardware/software development build and test without JPL formal oversight or approval. The 
Verification Matrix was never formally approved by JPL; nor were LMA test plans approved by JPL. 
The JPL project office was too small and the systems engineering function understaffed, which 
limited its ability to provide oversight on LMA. 

Observation 

The JPL Development Project Manager’s approach to managing the Genesis project failed to put in 
place a checks and balances process to verify the hardware and software met the system-level 
requirements. 

Recommendation 

R5 Require JPL project managers to institute a formal systems engineering checks and 
balances process with individual responsibility, accountability, and authority for 
systems and subsystems. This implies that systems engineers must be cognizant of 
requirements, implementation plans, and all changes. 

Establish a reasonably-sized systems engineering team with the responsibility to probe, audit, 
and verify completion of verification items. Reduce the multitasking of systems engineers and 
allow time for them to perform the above functions. Ensure the team has time to probe key 
verification items and ensure the tests verify the requirements and the close-out paper 
supports its verification. 

LMA Project Management Background 

The LMA Project Manager was “empowered” by the JPL Development Project Manager to 
accomplish the design, build, and testing of the hardware and software in accordance with the 
Verification Matrix of the requirements document. There was no formal review and approval 
requiring JPL sign-off of LMA activities. The LMA Development Project Manager chaired a weekly 
telecom and a monthly meeting to review program status. As LMA chaired these meetings, the issues 
and problems raised and discussed were heavily driven by LMA. JPL had one person in residence at 
LMA; other JPL project personnel traveled to LMA either to assist in issue and problem reduction or 
to witness the development testing of a subsystem. LMA also was driven by profit and loss (P&L). 
Under the Discovery program, funding is identified with risk funds. However, the belief was that the 
program would be terminated if it exceeded the cost cap. The design and development issues 
common to all projects surfaced and began to significantly reduce LMA’s profit position on Genesis. 
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The LMA Development Project Manager reduced staff, eliminated reviews, and increased the 
number of roles of his systems personnel by calling them both design engineers and systems 
engineers. Eventually, the LMA Development Project Manager even convinced LMA management 
to forego fee in order to keep costs within bounds. While specific documentation does not exist, 
circumstantial evidence suggests that the decision to not conduct a centrifuge test on the G-switches 
was driven primarily by schedule and ultimately by cost. 

Observation 

LMA’s Genesis program performance was “best effort” within a P&L cost constraint. LMA was not 
provided any detailed JPL oversight. LMA’s own systems engineering support was weak, due to task 
multiplexing. This was justified under the belief that heritage hardware requires minimum oversight. 
The JPL Development Project Manager’s managerial style was one of total empowerment to LMA, 
with no penetrating systems engineering oversight checks and balances processes established. LMA’s 
reacdon to cost growth, by reducing personnel, tesdng, etc., contributed to the Genesis failure. 

Recommendation 

R6 Change the fee structure for a P&L contractor to a fixed fee of 4% to 6%, with an 
award fee of 9% to 11%, based principally on cost and program management 
performance. The intent of this award fee concept is to provide an environment to reward a 
P&L contractor for management of program costs and for overall management of the project 
itself. On-orbit performance award fees are too late in the project life cycle to have an impact 
during development. In addition, JPL should not attempt to restructure the contract of a 
contractor, who has performed well on cost containment, to pay for poor cost performance 
in other areas, including JPL. 

23.2.3 HERITAGE 
Background 

The FBC concept stressed the use of heritage hardware and software as part of NASA’s program 
selection criteria. Unfortunately, heritage hardware and software is almost never implemented as 
previously flown or certified. In Genesis, the G-switch was stated to be Stardust heritage hardware. 
The Stardust G-switch circuit design may have been the same for Genesis, but there were a number 
of circuit card and layout changes, e.g., the Stardust G-switch circuitry is on two cards and in one 
box — in Genesis, this same functional design requires three cards and two boxes in addition to 
control functions not on Stardust. These extensive changes destroyed any similarity' to Stardust 
heritage except in a very' minor sense. This departure from the “build to print” concept should have 
required a more thorough review and test program. However, heritage was assumed to indicate 
minimum risk and thus not in need of as detailed insight or oversight by JPL and LMA systems 
engineering. 

Observation 

The term heritage should be viewed as an alarm — a warning signal — requiring a special look. JPL and 
LMA senior project managers and systems engineers did not require centrifuge testing for the 
Genesis hardware changes from the Stardust G-switch hardware, deciding instead that analysis was 
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adequate verification that the G-switch met the requirements. In actuality, the Genesis boxes 
containing the G-switches were far trom heritage. Furthermore, G-switch verification testing should 
have been done in a centrifuge as part of an incompressible test list, and not by analysis. 

Recommendation 

R7 Ensure that heritage hardware goes through the same strenuous verification and 
review process as new designs. While the nonrecurring costs will be lower, the testing 
program should not have less veracity. Additionally, all heritage items, as well as any changes 
from heritage designs, should be highlighted and briefed at major project reviews. If 
verification by analysis or similarity is accepted, then an independent certification should be 
used to assert the completeness of the verification. 

23.2.4 Test As You Fly 
Background 

Originally, a centrifuge test was planned in order to verify the functionality and performance of the 
G-switch. The CDR package for the SRC-AU discusses the test and even shows time set aside to 
perform such a test. As has been noted before, this test was deleted and never indicated as a Test As 
You Fly exception. Genesis red team and other reviews held after the Mars 98 recommendations did 
not recognize that this was a Test As You Fly exception. 

Observation 

The primary focus for a list of Test As You Fly exceptions is to inform management of the risks at 
launch. It can be used to facilitate a risk discussion and is not a vehicle to punish the project for not 
performing such tests. Flowever, if launch readiness reviews are the first opportunity to see and 
discuss the exceptions, the value as a communication tool is minimal. There is no time to evaluate 
other options that might allow the test to be performed. 

Recommendation 

R8 Develop a comprehensive Test As You Fly exceptions list and present it at each major 
review. The exceptions list should be presented at the CDR in draft form and continually 
updated through to launch. 

23.2.5 Red Team Reviews 
Background 

As a response to the Mars 98 failures, a special review team was called in to evaluate Genesis. This 
activity came to be known as the Red Team Review. This was the first time the red team concept was 
ever employed. The Mars 98 failures occurred late in the Genesis development cycle. Much of the 
Genesis hardware was built, and the project was well into its integration and test schedule. 

While the original red team charter did have an agenda item to review and verify that the Test 
Verification Matrix would meet the requirements, this portion of the review objectives was not met. 
The review team consisted of outsiders not familiar with the Genesis program. They were briefed on 
the program and then briefed on the area they were to review’, including meeting with the j PL and 
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LMA Genesis systems engineers. The team reviewed this material for about two days, then met and 
briefed their findings to the project and red team lead. Due to the fast pace of the review, many red 
team members did not have the time to probe deeply enough to ascertain the veracity' of the 
verification process. There was also lack of engagement on the part of a kev team member. In 
addition, leaders did not feel they had the authorin' to demand delta reviews when certain areas were 
not prepared during the three days of reviews. 

Observation 

The JPL red team process on Genesis failed to provide a critical independent assessment or increase 
the probability of project success. The team’s members were not best suited to their roles, and the 
review’s duration was too short. As a result, the scope of the review was limited to what JPL and 
LMA project members wanted the red team to discuss. 

Recommendations 

R9 Hold a project Independent Readiness Review, headed by the systems engineering 
team members assigned to the project team and augmented by a systems 
engineering/ chief engineering staff assigned to a core organization (in this case JPL). 

First, the project systems engineers know their project (no learning curve); their reviews will 
have depth because they know the systems/ subsystems (augment as required) and second, 
they have the time to conduct the review. JPL can augment systems engineering and/ or chief 
engineering personnel with specific technical expertise. The key to this conceptual change to 
the traditional red team approach is to use the project’s own systems engineering personnel 
who start the independent assessment by tracing and confirming that the requirements will be 
verified by the Test Verification Matrix, then tracking the test plan to ensure the test plans 
match the Test Verification Matrix. The independent assessment also reviews all controlled 
changes to hardware and documentation to certify that the pedigree of the test is still valid 
and then verifies that the test setup is correct. There are many possible variations to this 
process, but the concept is to maintain a strong, independent, systems engineering staff 
within a project team that is also charged with accomplishing its own Independent Readiness 
Review (with selected augmentation for specific technical disciplines as needed). 

2.3.3 Other Considerations 

The following items were informally discussed by various FRB members. The items listed do not 
represent the opinion of the board, but are listed as “think abouts.” 

Faster, Better, Cheaper 

Genesis was a project initiated and developed during the heights of faster, better, cheaper. Many of 
the shortcomings of this implementation strategy have been stated in a number of documents, such 
as Report on the I joss of the Mars Polar Lander and Deep Space 2 Missions (JPL D-18709). This report will 
not reiterate those here but simply state that the FBC implementation approach was a contributing 
factor to the failure. 
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EDL Telemetry 

Genesis did not have any system of re-entry telemetry. Projects should continue to consider real-time 
engineering telemetry' during key critical events. 

Engineering Data Storage (Black Box) 

Genesis did not have any system for tracking its health or performance during re-entry. There was no 
requirement for a black box similar to that required on commercial airlines. Given the simplicity 7 of 
the Genesis EDL system, this idea is probably not cost effective. However, where possible, simple 
data storage implementations can provide critical engineering understanding for real life applications. 

Lack of Functional Redundancy in the Design 

The Genesis design provided block redundancy but no real functional redundancy. This class of 
designs is known to be vulnerable to design flaws that manifest themselves as common mode failure 
mechanisms. These flaws are usually mitigated by a thorough test program. Although Genesis may 
have benefited from some form of functional redundancy, the added cost may have been greater 
than the delta required to properly test the baseline block redundant system. Adding the centrifuge 
test to an incompressible test list would have verified the availability of the SRC-AU redundant 
design. 

Quality Control at LMA 

Forensics on the returned Genesis SRC avionics units revealed that they were not identical. One of 
the units had a missing resistor in the timing chain that determined when the drogue parachute cable 
cut would occur. SRC pre-launch testing did not reveal a problem in the logic. Subsequent testing of 
the recovered EST module also indicates the circuit operates as desired. However, this seems to be a 
fortuitous design. 

Engineering Configuration Control 

Review of the engineering documentation during the forensic investigation uncovered instances 
where the as-built design did not match the engineering documentation. This is troubling, given how 
important configuration management is in the engineering process. The discrepancies seem indicative 
of the rushed nature of the work. This goes back to the whole problem of schedule pressures. 

In addition, documentation for the Stardust G-switch board layout did not specify the 
orientation of the G-switch. It needed to be perpendicular to the platform plane in descent to sense 
deceleration. In Genesis, the circuit board design engineer simply did a cut-and-paste of the Stardust 
circuit design layout. Without a footnote on the Stardust drawing to explain the correct orientation of 
the G-switch, there was no better than a 50/50 chance that the G-switch would be installed with the 
correct orientation. 
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3. CONTINGENCY PLANNING AND GROUND SAFETY INVESTIGATION 

The JPL Failure Review Board (FRB) was asked to investigate the contingency planning and systems 
safety employed during the Genesis mishap. The Sample Recovery' Phase (Figure 3-1) of the Genesis 
mission extended from Earth targeting to delivery’ of the payload canister to NASA’s Johnson Space 
Center (JSC) Astromaterial Curatorial Facility in Houston, Texas. Of greatest interest to investigators 
was the segment of the phase containing the mishap, starting with pre-impact ground recovery and 
staging operations to Mid-Air Recovery (MAR), and ending with delivery’ of spacecraft debris to 
Michael Army Air Field (MAAF) Avery Area, Building 1012. An assessment of this period could 
lead to vital improvements in contingency planning and personnel safety’ for future missions. The 
descriptions of nominal and contingency sample recovery procedures in Sections 3.1 and 3.2, 
respectively, provide a frame of reference for this assessment. A detailed timeline of actual events is 
provided in Appendix E. 

3.1 Nominal Mission Plan 

The mission plan called for three helicopters to accomplish MAR operations: two recovery’ aircraft 
with identical flight and crew configurations, call signs Vertigo and South Coast; and one command 
aircraft, call sign Oscar (Table 3-1). Vertigo had the primary responsibility for MAR, and South Coast 
was its backup. Oscar carried the DoD Utah Training Test Range (UTTR) On-Scene Commander 
and Explosive Ordnance Disposal (EOD) personnel. EOD workers were there to safe any 
unexploded ordnance debris at the landing site (unexploded ordnance sources included the SRC 
and any residual unexploded ordnance from non-NASA UTTR activities). Oscar’s main role was to 
supervise the overall proceedings and suggest a suitable landing site. A fourth aircraft, call sign Chase, 
carried the NASA media crew. All helicopter recovery aircraft were launched from Michael Army 
Air Field. 

3.1.1 Successful Mid-Air Recovery 

Upon successful MAR, South Coast would immediately descend and prepare the approved landing 
site. Vertigo, with the parafoil in tow, would then land. Once the SRC was on the ground, an SOo 
sniff test was to be performed by the trained payload commander, equipped with half-mask 
respirator with acid gas cartridges, and wearing an SO 2 monitor. With SRC vents covered, the 
parafoil would be removed and the load line attached directly to the SRC. Free of the drag of the 
parafoil, the SRC could be flown at higher speed. Once in the entry' area of MAAR, Building 1012, 
the SRC’s vent covers would be removed and its interior gas volume checked for HCN, CO, and 
SO 2 . The latches attaching the backshell and heat shield would be sawed open (to permit manual 
lifting of the backshell), and gas levels would be checked a second time. If toxic gases were detected, 
LMA and JSC personnel wearing Self-Contained Breathing Apparatus (SCBA) would open the 
backshell and establish a nitrogen purge. At that point, the capsule was to be left in a quiescent 
state overnight to allow gases to stabilize before canister removal and packing for shipment. Delivery' 
of the SRC sample canister to NASA JSC was expected to take place approximately 4 day's after 
ground recovery 7 . 
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Table 3-1. Recovery Aircraft Plan 


Aircraft 

Role 

Personnel 

Actions 

Vertigo 

Primary recovery 

Pilot, director of flight 
operations, payload master 

Perform mid-air recovery of SRC 

South Coast 

Backup recovery 

Identical to Vertigo 

Ensure safe mid-air recovery 

Oscar 

Supervisory and 
authority 

Pilot, DoD on-scene 
commander, NASA recovery 
team lead, EOD personnel 

Take station position on Vertigo, 
remain clear of MAR; advise on 
landing site suitability 

Chase 

Observer and 
recorder 

NASA media crew 

Observe and record proceedings 


3.2 Contingency Plan: SRC Ground Impact 

Two possible scenarios were developed to address SRC ground impact: 

* Failed MAR (low ground approach velocity due to parafoil-assisted descent) 

• Failed parachute (high ground approach velocity' due to uncontrolled descent) 

F’or both scenarios, the overall approach was the same: recovery aircraft locate the SRC and assess 
the extent ot damage. If damage was minimal, then Oscar would earn’ the SRC to MAAF in a cargo 
net. If damage was extensive, then the site would be secured until NASA payload and curation teams 
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arrived. The UTTR On-Scene Commander mandated the presence of the Genesis recover} 7 team lead 
(RTL) in Oscar to assist in assessment of damage to the SRC and onboard ordnance, as a late 
addition during the last practice MAR prior to the actual event. 

3.2.1 Contingency Plan Implementation 

SRC impact occurred at 9:58:52 (all times are MDT). Impact location was 40 degrees 7 minutes 40 
seconds latitude by 113 degrees 30 minutes 29 seconds longitude. The helicopter recover} 7 aircraft 
were vectored to the impact site, where they arrived at approximately 10:05 a.m. 1 and circled for a 
few minutes, photo-documenting the site and communicating with mission control. The Vertigo 
Director of Flight Operations (DFO) requested that Oscar land first to assess the ground conditions. 
Since it had rained recently, the DFO wanted to confirm that Vertigo and South Coast would be able 
to take off without picking up excessive mud. Oscar performed a “touch and go mud sink” test at 
about 10:13 a.m.; Oscar, Vertigo, and South Coast landed at 10:14 a.m.. 

At 10:18 a.m., the RTL assessed the status of the SRC explosive ordnance and informed the On- 
Scene Commander that the ordnance had not fired — it was still live. The RTL was wearing an 
operating SO 2 monitor, but no personal protective respirator} 7 equipment. The DFO arrived and was 
briefed by the RTL on the condition of the SRC. The DFO then gave predetermined hand signals to 
the Vertigo Payload Master (PM) to put on personal protective equipment and proceed to check the 
impact site for SO 2 from all sides, which he did. The ToxiVision SO 2 monitor, which was set to 
sound an alarm at a permissible exposure limit (PEL) of 2 ppm and a short term exposure limit 
(STEL) of 5 ppm, did not go off. The RTL inspected the SRC more closely at 10:22 a.m. and 
determined that the canister structure had been breached. This meant that recover} 7 by helicopter and 
cargo net was not an option. This information was radioed back to the recover} 7 teams at the MAAF 
1012 facility who were preparing for contingency recover} 7 . At around 10:25 a.m., one of the Vertigo 
or South Coast crew personnel walked across the SRC personnel exclusion zone twice (i.e., the 
personnel off limits zone defined by the line of fire of the SRC mortar ordnance). The DFO saw the 
first incursion into the zone and shouted instructions to exit, at which time the individual re-entered 
the zone to cross back to safety. 

A recover} 7 Ground Support Team (GST1) was staged with trucks and rugged terrain vehicles 
just outside the landing footprint. After impact, GST1 drove to near the landing site, and recovery 
personnel walked to the impact site, with some arriving at 10:31 a.m. and others at 10:38 a.m. At 
approximately 10:34 a.m. MDT, the LMA Parachute-Certified Product Engineer (PCPE) who arrived 
with GST1 was carrying an SO 2 monitor and proceeded to place the monitor on the ground adjacent 
to the SRC on the upwind side. The SO 2 monitor (BW Gas Alert brand) used by the LMA PCPE 
was set to sound an alarm at a STEL of 5 ppm. The LMA PCPE was not wearing respirator} 7 
protective equipment during this operation. At about 10:35 a.m., the LMA PCPE moved the SO 2 
monitor from the upwind side to a location on the ground adjacent to the downwind side of the 
SRC. About 3 seconds later, the LMA PCPE heard the SO 2 alarm go off, quickly walked away from 
the impact site, and advised other personnel to stay clear of the SRC. The SO 2 alarm indicated that 


Times were derived from video data sources and should be considered approximate. For purposes of this assessment, 
the sequence of events is of more importance than the exact time of the events. 
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the SRC batten 7 had vented. JPL Environmental, Health and Safetv Office personnel arrived with 
GST1 at 10:38 a.m. and, upon being briefed about the unexploded ordnance and SO 2 alarm, called 
for all personnel to back away approximately 200 feet and move to the upwind side of the SRC 
impact site. 

Oscar departed the landing site at approximately 10:37 a.m. to fern’ the recovery team from the 
MAAF 1012 facility to the SRC impact site. Contingency Recovery Team A (RT-A) left the MAAF 
1012 Facility at 10:37 a.m. for the Avery hangar to ride Oscar to the SRC impact site. Recovery Team 
B (RT-B) left the MAAF 1012 facility in ground vehicles at 10:45 a.m. 

GST1 departed the SRC impact site at about 10:55 a.m. in response to direction from Genesis 
project management to return to M AA1‘ for a contingencv procedures review meeting. GST1 
intercepted RT-B on the road at approximately 11:15 a.m. and informed them that they were all 
directed to review condngency procedures with Genesis project management personnel. RT-A was 
informed of the meeting before thev lifted off and subsequently deplaned from Oscar and joined the 
meeting, which started at approximatelv 1 1:00 a.m. All recovery personnel described the contingency 
procedures they were following to the satisfaction of Genesis project management, and the meeting 
was completed at approximatelv 1 1:50 a.m., just as the GST1 and RT-B personnel arrived. 

RT-A and RT-B then proceeded to the landing site. The first priority was personnel safety (i.e., 
safe the unexploded ordnance) and then to recover as much science as possible. All operauons from 
this point forward were performed using the condngency secdon of LMA Procedure GN 1R11, 
Genesis .VRC Ground Operations for Solar Wind R ecovery, as the work-authorizing document. Procedural 
steps were written out in the field and then concurred with by LMA and JSC curation team personnel 
before implementation. Since the procedural steps were being written in real time, they were treated 
as amendments, or flags, to GN 1R1 1. At approximately 12:53 p.m., the LMA Systems Safety 
Engineer swept the SRC area with an SO 2 monitor. No respirator)’ protective equipment was used by 
recover}- personnel from this point forward. The unexploded ordnance was safed at approximately 
1 :36pm by LMA personnel and the SRC batter}' was disconnected after separating from the heat 
shield at approximately 3:00 p.m. An initial check of the SRC batter}’ indicated approximately 3 volts, 
open circuit. 

The payload canister was rolled onto a tarp to capture any collector wafer pieces (the bottom of 
the canister had separated). Wafer pieces were also collected throughout the impact site. The payload 
canister was loaded into Oscar and arrived at the MAAF Aver}’ hangar area at 6:25pm. It was loaded 
into the heat shield transport cradle and moved into the MAAF 1012 facility by forklift. The 
remaining SRC debris (heat shield, backshell, and miscellaneous pieces of the SRC) arrived by ground 
vehicle at the MAAF 1012 facility at 6:40 p.m. Another SRC batterv voltage measurement was taken 
at 7:00 p.m. 

On Friday, September 10, 2004, the Genesis M1B Chair arrived on scene at UTTR and all 
subsequent procedural flags (2 through 1 1) were coordinated with and approved by the M1B Chair. 
All subsequent activities with the SRC hardware were implemented under the direction and control 
of the MIB. 
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3.3 Method of Investigation 

JPL formed the FRB safety and communication sub-team, which worked closely with the NASA 
MIB. FRB safety and communicadon sub-team members were placed on MIB sub-teams to enhance 
their efficiency and technical expertise. The mishap investigation was performed in two phases: 

* Phase 1: Review hazard analysis documentation for adequacy (recovery, contingency, and 
ground operations). 

* Phase 2: Compare documentation with actual observed decisions and actions. 2 
Particular focus was applied to the following areas of assessment: 

® Personnel exposure to hazardous materials. 

“ Human factors, team effectiveness, and communication (including chain of command 
protocol and associated communication). 

3.3.1 Observations 

Assessment of hazard documentation and hard evidence led the Genesis evaluation boards to 
significant observations in two areas: preparation and operations. 

3. 3. 1.1 Preparation 

* Hazardous material and personal protective equipment (PPE) requirements were 
inconsistently deployed throughout the Genesis project documentation tree. Analysis of 
JPL, LMA, and LMA subcontractor documentation revealed inconsistencies in both hazardous 
material and PPE requirements (Table 3-2). Paragraph 3.2 of the LMA document Sample Return 
Capsule Recover y Operations Rian, Rev. A (GN-65100-100), does not match the requirements in the 
JPL documents for nominal landing operations. Also, PPE and/or hazard identification and 
control is not addressed for the “no MAR contingency” scenario in any of the documents listed 
in the table. 

* “No MAR Contingency” requirements in six Genesis documents were inconsistent. 

Analysis of JPL, LMA, LMA subcontractor, and UTTR documentation revealed inconsistent 
levels of detail associated with the “no MAR contingency” scenario (see Appendix F). 

* Contingency requirements did not adequately address hazardous material control 

processes. Although a wind sock was installed at the SRC impact site, doing so was not planned 
for. One of the recovery personnel had previously worked at a petroleum facility and had taken 
the initiative to ensure that a wind sock was installed (the payload grounding rod was used as a 
stake and a pink plastic streamer was used as the flag; refer to interviews with recovery 7 
personnel). Since SO 2 is gaseous, using a wind sock to ensure personnel stay upwind of the 
impact site is crucial. Use of wind socks in airborne hazardous material control situations is an 
emergency response industry standard. Nonetheless, detailed live ordnance contingency planning 
requirements could not be found within the Genesis project documentation tree. 


2 

Observed decisions and actions were evaluated using video data, audio data, photographic data, and personnel 
statements. Privileged interviews were offered to JPL and LMA employees; however, all interviewees requested non- 
privileged status (Note: DoD UTTR personnel interviews were privileged). 
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Table 3-2. Hazardous Materials and Personal Protective Equipment Requirements 


Document 

Org. 

Nominal Recovery 
Operations, Landing 

Nominal Ground 
Operations, MAAF 
1012 Facility 

No MAR Contingency 

Earth Targeting and Entry 
Safety Plan, Vol. 1, JPL 
D-29358, August 16, 2004 
(includes JPL D-29980, Ind. 
Asses, for PPE) 

JPL 

Acid gas half-masks, 
SO 2 detection meter 

SCBA; SO 2 , CO, 
HCN detection 
meters 

No mention of PPE or hazardous 
material monitoring. 

Genesis Mission-Recovery 
Phase Systems Safety Plan, 
GNS 61000-200 Vol.3, JPL 
D-29566, Preliminary, August 
2004 

JPL 

Para. A 2.6.1. 4, 
acid gas half-masks, 
SO 2 detection meter 

Paragraph B 3.1.2 
SCBA + SO 2 , CO, 
FICN detection 
meters 

Para 2.5, top-level contingency 
planning: no PPE mentioned, but 
“safety and security perimeter” 
required; also identification of 
“all potential hazards and provide 
remediation plans.” 

Sample Return Capsule 
Recovery Operations Plan, 
GN-65100-100, August 23, 
2004, Rev. A 

LMA 

Para. 3.2, “...Simple 
colorimetric detector 
tube “snifT...” 

Not in document 
scope 

Para. 4.3, detailed contingency 
planning: no mention of PPE or 
ordnance hazard. 

Genesis SRC Ground 
Operations for Solar Wind 
Recovery, GN_1 R1 1-New, 
August 16, 2004 

LMA 

Not in document 
scope 

SCBA + SO 2 , CO, 
HCN detection 
meters 

Recovery team checks for SO 2 , 
CO, HCN; no PPE specified 


3.3.1. 2 Operations 

* Genesis recovery personnel did not follow and execute JPL-mandated hazardous 
material and personal protective equipment requirements, as detailed in the Eartb 
Targeting and Entry Safety Plan, VoL 1 (JPL D-29358) and Genesis Mission- 
Recovery Phase Systems Safety Plan, VoL 3 , (GNS 61000-200, JPL D-29566). Half- 
mask gas respirators were not used during the first ground approach by the recovery team lead. 
Although the use of half-mask gas respirators is not stipulated for contingency operations in 
LMA document Sample Return Capsule Recovery Operations Plan, Rev. A (GN-65100-100), it is clear 
that paragraph 2.5 of JPL document Genesis Mission-Recovery Phase Systems Safety Plan, l ol. 3 (GNS 
61000-200, JPL D-29566), Preliminary, requires that a “safety' and security’ perimeter” be 
established, identification made of “all potential hazards,” and provisions made for “remediation 
plans” for contingency situations. The JPL requirement to use half-mask gas respirators for all 
approaches to the SRC during nominal operations would no doubt be required by JPL for any 
personnel approaching the SRC during contingency’ operations. 

* SRC safety perimeter was verbally enforced and ineffective One recovery’ aircraft person 
was observed in video footage crossing twice into the SRC mortar ordnance “personnel 
exclusion zone” (30 degrees to either side of the drogue chute mortar centerline). The Vertigo 
DFO is seen on the video footage turning his head at the zone incursion and communicating 
warnings by voice and hand gesture. The person who initially crossed the exclusion zone is then 
seen walking back across the zone again. 

* Hazardous material awareness training could not be verified for all personnel with 
potential for exposure. Review of project requirements, personnel interviews, and training 
documentation did not reveal a consistent and documented method for ensuring that “right to 
know” hazardous material training was given to all recovery personnel. 
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* Follow-up medical examination and debriefing was not provided to the individual who, 
not wearing respiratory protective equipment, was closest to the SRC debris when the 
SO2 detector went into alarm. The individual was referred to his organization’s health and 
medical entity for follow-up examination and debriefing (refer to personnel interviews). 

* Communication paths optimized for nominal operations impeded communications 
during contingency operations. The number of radio communication units was purposely 
limited to ensure safe and clear communication during landing operations. However, more units 
would have helped communication between Genesis project management and field recover}' 
personnel during the first 60 minutes after impact. For example, RT-B drove to the SRC impact 
site only to have a returning vehicle inform them that all teams were to return to MAAF for a 
planning meeting — this occurred after RT-B had traveled for 30 minutes. RT-B or their ground 
vehicle did not have a radio unit and did not know that a return-to-base order had been issued 
(refer to initial MIB statements/logbooks from recovery 7 teams and interviews with recovery 
team personnel). More communication devices between the several ground and flight units 
would also have prevented the Vertigo crew member from walking across the active mortar field. 

3.4 Findings 

Findings and recommendations presented in this report are based on the following definitions of 
proximate and root causes, found in NASA Procedural Requirements for Mishap Reporting, Investigating, and 
Recordkeeping (NASA NPR 8621.1). 

Proximate Cause. The event(s) that occurred, including any condition(s) that 
existed immediately before the undesired outcome that directly resulted in its 
occurrence and, if eliminated or modified, would have prevented the undesired 
outcome. Also known as the direct cause(s). 

Root Cause. One of the multiple factors (events, conditions, or organizational 
issues) that contributed to or created the proximate cause and subsequent 
undesired outcome and, if eliminated or modified, would have prevented the 
undesired outcome. Multiple root causes typically contribute to an undesired 
outcome. 

A review and analysis of the five general assessment findings resulted in three proximate causes. 

3.4.1 Proximate Cause 1: Inadequate Configuration Management of Requirements 

A variety of documents were examined, and a high degree of variability was found in the extent of 
PPE requirements identified in those documents. Additionally, there were many sets of requirements 
for the “no MAR contingency 7 ” condition. However, there was never any apparent attempt to 
coordinate and integrate these requirements by having a higher-level document levy requirements on 
each of the areas (and show traceability 7 to the lower-level requirements), or by integrating these 
requirements into a consolidated and cohesive document used bv all parties involved in the recovery 7 
operation. 

3.4.2 Proximate Cause 2: Inadequate Contingency Planning and Training 

The various versions of “no MAR contingency” requirements did not address PPE at all, in spite of 
the significant attention paid to the need for PPE during normal operations. There were also no 
operational directives in any of the various contingency plans for hazardous materials. In fact. 
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minimal consideration was given to contingencies for the potential existence of live (unfired) 
ordinance onboard the SRC. No detailed pre-existing procedure was in effect for safing the 
ordinance. 

Contingency planning was further complicated bv an unclear chain of command and imprecisely 
defined roles (i.e., who was responsible for what action?). In addition, roles and responsibilities were 
not communicated clearly to the teams. 

The lack of training and traceable training was also a factor. This refers not only to training for 
PPE and hazardous materials handling but also to training in contingency scenarios. Except for the 
curation team, there is no evidence that the teams involved in the on-site recovery 7 had walked 
through the procedures for various contingency events prior to the SRC recovery. 

3.4.3 Proximate Cause 3: Inadequate Contingency Execution 

The evidence presented from the actual operation demonstrates a failure to properly execute the 
contingency plans. First, a wind sock was established only after SCL was discovered inside the SRC. 

In addition, the first approach bv an individual to the SRC and first close examination occurred 
without the use of required half-face respirators. Consequently, there was no clear contingency 7 
followed as specified. 

Furthermore, poor field communications were demonstrated in nearly every aspect of the initial 
SRC examination and recovery. This led to personnel being placed at risk, as evidenced by the flight 
member crossing in front of the unfired mortar exclusion zone. In fact, he did this twice due to 
misinterpreted hand signals that directed him to avoid the exclusion zone. There was also weak 
communication between project management and the field teams, as evidenced by the dispatch and 
recall of teams for meetings. Finally, there was no medical follow-up for those who were exposed to 
the potentially toxic environment in the field, even though medical attention was suggested. 

3.5 Root Causes and Recommendations 

JPL will be conducting more real-time mission events as the Laboratory 7 continues its shift from fly- 
by reconnaissance of planetary 7 bodies to direct interaction with the planets and other bodies in the 
solar system. This interaction ranges from in situ surface activities such as rovers to actual sample 
returns not unlike the Genesis effort. It is understandable that the Laboratory is likely to experience 
learning events such as the Genesis mishap. Thus, it is important that the Laboratory 7 learn from 
these events in order to both improve the likelihood of success in returning valuable science and also 
in providing safe operations. 

The identification of three proximate causes relative to safety 7 and communication leads to the 
identification of root causes. The identification of root causes will help eliminate the likelihood of 
similar failures in future missions. Data, which was carefully reviewed, included interviews with 
individuals associated with the Genesis SRC recovery 7 . The reporting of events leading up to the SRC 
recovery 7 date was essentia! to understanding the background for the safety and communication- 
related proximate causes of the mishap. Such an analysis led to additional understanding of the 
conditions, and suggested plausible root causes to the recovery and ground safety sub-team. 
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3.5.1 Root Cause 1: Inadequate Resources to Properly Prepare for the Event 

Genesis was a Discovery-class mission, which, by definition, implies limited total resources. The 
amount of effort required to prepare for the reentry and recovery was clearly underestimated, and 
there was insufficient personnel available to deal with the large number of issues that needed to be 
addressed. In addition, the need to support large numbers of reviews stretched thin the already 
limited workforce, as they not only tried to support these reviews, but attempted to follow through 
with the recommended actions as well. This was especially true as the date of reentry drew closer. 

The lack of sufficient resources was especially harmful because it resulted in the inability to 
properly staff the systems engineering and configuration management tasks that would have ensured 
that the required consistencies between important procedural documents were established and 
maintained. Limited resources also restricted the ability to make timely updates to the 
documentation. In particular, important changes were made in the last few days before reentry 1 , 
resulting in insufficient time to properly inform and adequately train the recovery team. This failure 
caused documentation inconsistencies for the recovery team, and was magnified by the lack of a 
configuration management coordinator. 

Another related shortcoming was the minimal amount of coordinated training on PPE and other 
safety-related issues. The individual training shortfall was exacerbated by the failure of the recovery' 
team to properly “dty run” potential contingencies. Their attention was focused on the nominal 
recovery', to the detriment of training for the contingencies of “no MAR” situations. 

Recommendation 

RIO Update /PL Flight Project Practices (JPL Rules! Document ID 58032) to assure early definitive 
planning and identify adequate funding and schedule margin during the late-mission time 
frame necessary' to support late-mission-critical activities (reviewing, testing, and necessary' 
training to ensure mission success). This requirement is especially true for sample return 
and surface operations missions, which are only now becoming a significant part of JPL 
mission work. 

3.5.2 Root Cause 2: Insufficient Leadership Attention to the Details 

Insufficient leadership attention is arguably a consequence of the limited resources available to 
provide adequate staffing of project personnel. Nevertheless, the project management is accountable 
for the success of the mission. The chain of command for various contingencies was inadequately 
elaborated and explained. Differences of opinion existed as to the Project Manager’s roles and 
responsibilities during recovery' operations. The roles were not identified, documented, and/or 
communicated. This resulted in mixed signals and contributed to a sense of confusion during the 
early part of the recovery' following the impact of the SRC. 

“Safety first” was not an adequate part of the project management approach. In fact, there was a 
lack of dedication on the part of the project leadership in regard to safety issues. For example, 
management minimized the concern expressed bv JPL Safety personnel about the likelihood of 
battery' rupture in an impact situation. Although there was a directive to comply with safety' issues, 
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especially in the area of PPE issued bv the Project Manager, there was no obvious commitment to do 
so by other members ot the project leadership. 

Recommendation 

Rll Require safer,' plans for sample return missions to be approved and signed off by the 

cognizant “Directors-for” for both the safety organization and the doing project’s directorate. 
Further, ensure that project management chain of command is clearly identitied in the 
appropriate project-level document(s). Finally, require all Category A risks (i.e., those with 
severe mission success impact) follow the /PL Flight Project Practices mandates regarding 
Project Manager signature approval. 

3.5.3 Root Cause 3: Inconsistent Contingency Planning and Preparation 

Many of the contingency reviews and other actions related to contingency planning were delayed 
until late in the project life cycle. Contingency plans were being created and updated days before re- 
entry, with insufficient time to communicate those changes across the project and to prepare the 
required document changes. There was no project buv-off or signature to some of the contingency 
plans, thereby not enforcing project management buy-in or project enforcement. 

The behavior of personnel initially involved on scene was not consistent with any plan. For 
example, the first person to arrive at the SRC approached upwind but without the Safety-prescribed 
PPE (i.e., half-face gas mask). Video evidence clearly shows that the first person to arrive at the scene 
placed his face closer to the SRC than a second individual placed the SO: monitor, without 
consideration of potentially toxic gases and unexploded ordinance. 

There was no single document defining the contingency plan and associated operations. In 
addition, there were no exercises (i.e., training activities) under the various contingency situations. 
Such dry runs would have prepared the on-scene team to perform appropriately while identifying 
potential harmful behaviors. Contingency execution was relegated to doing things impromptu, 
without a well thought-out consequence-based procedure to w'hich the team had been trained. 

Recommendations 

R12 Provide project management training to ensure necessary attention is given to 

contingency plans; incorporate a section on safety and contingency planning into 
project manager workshops. 

R13 Require a single overarching contingency plan at the project level for all missions. This 
document would define the requirements for all other project subelements. These 
contingencv requirements would include the identification of required tests and training 
activities, ORTs, etc. 
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3.5.4 Root Cause 4: Poor Communications at the Scene 

Personnel on the scene were not equipped with proper communication capabilities; consequently, 
intentions were confused and conflicting. It was clear from the actions observed during the carlv 
minutes after impact that individuals were not able to communicate adequately. There are several 
examples: 

* Lack of communication between on-scene personnel and mission control and the Project 
Manager resulted in differing instructions for the contingency review meeting. This caused 
much wasted effort. 

* Lack of communication between the on-scene recovery team and the Project Manager resulted 
in recovery actions proceeding in an ad hoc manner and without the Project Manager’s 
approval. 

* Lack of clear communication between the on-scene personnel resulted in an individual walking 
in front of the mortar personnel exclusion zone twice. 

Recommendation 

R14 In JPL Plight Project Practices (JPL Rules! Document ID 58032), clearly identify communication 
requirements for recovery-type missions (such as sample return missions and balloon flight 
experiments) that ensure effective communication between the project manager and on-site 
personnel, as well as among on-site personnel. This may be incorporated into a more general 
practice on identifying requirements on communication between multiple operations sites 
(including temporary sites, such as a landing recover}' site) and within each operations site 
(including temporary sites). 
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4. CLOSING RECOMMENDATIONS 

The recommendations presented in this report should not discourage NASA or JPL from continuing 
its support of the Discovert' Program. While it is recognized that the recommendations made in this 
report will require resources, they must not become so onerous that the Discovert' Program cannot 
support them. Discovert’ has provided a great service to scientists, students, and the general public. 
By increasing the number of science missions, much more science has been gained than lost. In 
addition, it should not be lost on the reader that Genesis has not been a total failure. Even though 
the final reconstruction of science is yet to come, the Genesis samples are in-hand and being 
evaluated. 

The specific recommendations in this report, if implemented, may ensure a higher success rate 
for the Discovery Program. The recommendations should be implemented as new missions and 
decisions are made within the Discovery Program. 
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APPENDIX A: COMPREHENSIVE DROGUE NOT DEPLOYED FAULTS 


Table A-la. Fault 1: Electrical Power Failure 


No. 

Fault Type 

Assigned Value: Unlikely 
Credible Unlikely Not Credible 

1.1 

Spacecraft bus sequence wrong 


X 

1.1.1 

Battery online command incorrect 


X 

1.2 

Power state of circuits incorrect (relays) 

X 


1.2.1 

Cable cut effects 

X 


1.2.2 

Spin up effects 


X 

1.2.3 

Separation shock effects 

X 


1.2.4 

Entry load effects 


X 

1.2.5 

Power off transient in MDE card toggles power relays 


X 

1.2.6 

Relay did not connect to EST position 

X 


1.3 

Power electronics design flaw 


X 

1.4 

Power disconnected on entry 


X 

1.4.1 

Battery enable plug came loose 


X 

1.4.2 

Entry loads disconnected power connectors 


X 

1.5 

Entry thermal environmental effects 

X 


1.5.1 

Entry plasma effect on cut cables 

X 


1.5.2 

Overheating and shorting of cables 


X 

1.6 

Inadequate battery voltage and power for avionics, or 
to fire ordnance 

X 


1.6.1 

Excessive electrical loads 

X 


1.6.1. 1 

External short drained battery 


X 

1 .6.1.2 

Battery drained before entry-excess avionics load 

X 


1.6.1. 3 

Deadface issue drained battery 


X 

1.6.2 

Inadequate battery 

X 


1. 6.2.1 

Battery drained before entry — bad power model 

X 


1. 6.2.2 

Battery temperature too low for required current, 
in flight 


X 

1. 6.2.3 

1.6.3 

Battery stored at too high temperature, in flight 
Mechanically damaged battery (cell leak, open circuit, 
short circuit) 

X 

X 

1.6.4 

Battery thermostat open on EDL 


X 

1.6.5 

Depassivation not complete 


X 
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Table A-lb. Fault 2: Avionics Failure in the SRC 


No. 

Fault Type 

Assigned Value: Credible 

Credible Unlikely 

Not Credible 

2.1 

G-switch did not activate sequencer 

X 


2.1.1 

Improper orientation of G-switch 

X 


2.1.2 

Loads prevented G-switch activation 


X 

2. 1.2.1 

G-switch cannot handle design spin loads 


X 

2. 1.2. 2 

Spin rate exceeded G-switch capability 


X 

2. 1.2. 3 

G-switch cannot handle design angle of attack 
loads 


X 

2. 1.2.4 

Angle of attack exceeded G-switch capability 


X 

2.1.3 

High-frequency chatter activation interference 


X 

2.1.4 

Space effects rendered G-switch unusable 


X 

2.1.5 

G-switch shorted at test connector 


X 

2.1.6 

G-load profile off-nominal 


X 

2. 1.6.1 

Loads never reached trigger level 

Combined with 2.1.6 

2.1. 6.2 

Loads never dropped below trigger prior to impact 

Combined with 2.1.6 

2.1.7 

Incorrect G-switch installed 


X 

2.1.8 

Mechanical failure of G-switch 


X 

2.2 

Low pass filler wrong time constant 


X 

2.2.1 

Improper filter design 


X 

2.2.2 

Entry dynamics exceeded filter capability 


X 

2.3 

Reset on timer trigger 

X 


2.4 

Oscillator frequency wrong 


X 

2.5 

Latent fault due to high voltage discharge 


X 

2.6 

Pyro ballast (current limiting) resistors damaged in 
test 


X 

2.7 

Timing of ANDed circuits out of phase 


X 

2.8 

Timer jumpers wrong, causing excess delay 


X 

2.9 

EMI disrupted circuit operation 


X 

2.9.1 

Internal EMI 


X 

2.9.2 

External EMI 


X 

2.10 

Environment effects on avionics 

X 


2.10.1 

Space (micrometeoroid, orbit debris, radiation, 
vacuum) 

Closure record combined with 
2.10 

2.10.2 

Entry effects, thermal induced 

Closure record combined with 
2.10 

2.10.3 

Entry effects, plasma induced 

Closure record combined with 
2.10 

2.10.4 

Entry effects, mechanical induced 

Closure record combined with 
2.10 

2.11 

Cross-strapped pressure transducer interferes with 
fire command 


X 

2.12 

Avionics shorted, internal 


X 

2.13 

Fuses opened 


X 
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Table A-lc. Fault 3: Harness/Connector Failure 


No. 

Fault Type 

Assigned Value: Unlikely 

Credible Unlikely Not Credible 

3.1 

Circuits not connected to pyro 

X 

3.1.1 

Connected wrong 

X 

3.1.2 

Connectors loose or demated 

X 

3. 1.2.1 

Separation shock 

Closure record combined with 3.1.2 

3.1. 2.2 

Entry loads 

Closure record combined with 3.1.2 

3. 1.2. 3 

Improper installation 

Closure record combined with 3.1.2 

3.1.3 

Bent pin/contamination/open in connectors 

X 

3.2 

Harness open 

X 

3.2.1 

TPS failure, breach or excessive temperatures 

X 

3.2.2 

Micrometeoroid damage/orbit debris 

X 

3.2.3 

Harness flexing, e.g., hinge movement 

X 

3.3 

Harness shorted 

X 

3.3.1 

TPS failure, breach or excessive temperatures 

X 

3.2.2 

Micrometeoroid damage/orbit debris 

X 

3.3.3 

Harness flexing, e.g., hinge movement 

X 

3.3.4 

Test port plug shorted out 

X 
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Table A-ld. Fault 4: Drogue System Failure 


No. 


Assigned Value. Unlikely 

Fault Type 

Credible Unlikely Not Credible 

4.1 

Pyro failed 

X 

4.1.1 

NSI failed to fire 

X 

4.1. 1.1 

NSI is a dud/degraded/contaminated propellant 

X 

4.1. 1.2 

Inadequate current for required duration, all fire 

X 

4.1. 1.3 

Broken bridge wire 

X 

4. 1.1.4 

Shelf life exceeded 

X 

4.1.2 

Mortar booster charge failed to fire 

X 

4. 1.2.1 

No propellant in booster charge 

Combined with 4.1.2 

4. 1.2.2 

Wrong amount/wrong propellant in booster charge 

Combined with 4.1.2 

4. 1.2. 3 

Booster charge is a dud/degraded 

Combined with 4.1 .2 

4.1. 2.4 

FOD 

Combined with 4.1.2 

4. 1.2. 5 

Propellant contamination 

Combined with 4.1.2 

4. 1.2. 6 

Incomplete combustion of propellant 

Combined with 4.1.2 

4.1.3 

TPS failure, breach or excessive temperatures 

X 

4.2 

Drogue parachute did not deploy 

X 

4.2.1 

Mortar lid not expelled 

Combined with 4.2 

4.2.1.2 

Insufficient gas pressure generated by booster 
charge 

Combined with 4.2 

4.2.1. 2 

Manifold failed to contain/transfer energy 

Combined with 4.2 

4.2.2 

Sabot jammed 

Combined with 4.2 

4.2.3 

TPS failure, breach or excessive temperatures 

X 
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Appendix B: Battery Analysis 

Two primary (non-rechargeable) batteries 1 provided power to the electronics and ordnance devices 
on the Sample Return Capsule (SRC). Both batteries were housed in the same titanium enclosure 
(Figure B-l) and were the only source of energy for the SRC after being released from the Genesis 
spacecraft. The same batteries also provided power to Avionics Units A and B, one batten 1 for each 
unit. The eight LiSCF cells were procured from SAFT and assembled by Eagle Picher. The cells were 
connected in series, with a blocking diode on the positive leg, and physically separated by a G10 
board placed between them. Once the batteries were inside the enclosure, the void volume was filled 
with Eccofoam insulation and covered by several sheets of Kapton. A titanium cover with three 
windows was secured on the top with eight screws. 

Being primary batteries, they remained inactive (open circuit) for the majority of the mission, 
with the exception of some short-duration tests during Assembly, Test, and Launch Operations 
(ATLO). They were put online prior to SRC separation from the main spacecraft, after both batteries 
had been through a depassivation process. 

Figure B-1 . Genesis battery with temperature 
sensors attached prior to installation of 
heaters and black Kapton top layer 


After the hard landing of the SRC in 
the Utah desert, speculation abounded as 
to the batteries’ contribution to the failure. 

SO 2 monitors at the impact site indicated 
presence of the gas, a main component of 
the battery cells, suggesting a possible 
battery leak. Initial battery voltage measure- 
ments (post-impact) indicated a totally depleted batten 1 . However, the outer physical appearance of 
the bat teiy after the impact did not show significant damage. 

The batter} 7 was de-integrated from the SRC and shipped to the LMA facility in Denver. Later, 
the NASA MIB and JPL FRB decided to perform the full investigation of the battery' at JPL. Guided 
by pertinent sections of the fault tree, a batten' analysis and test plan was developed that would 
methodically inspect, test, and disassemble the battery' down to the cell level, and if necessary', to the 
cell component level. 



The two batteries are collectively referred to as the SRC battery. 
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B.1 Investigative Procedures 

Five separate procedures, described in the following sections, were planned to address closure of the 
various branches of the fault tree. They were developed such that follow-on procedures depended on 
the findings of the previous procedure. 

B.1.1 Procedure 1: Battery Inspection and Test 

A thorough inspection of the battery was performed at JPL, including dimensions, weight, and some 
electrical measurements at the battery level. Peripheral devices such as the four temperature sensors 
and the three heater strips were also measured. All measurements were also done on the ATI A) 
battery for comparison. The outer appearance of the batten' looked very clean and indicated minimal 
damage from the hard landing. Figure B-2 shows the battery during initial inspection at )PL. 


'■ 



Figure B-2. SRC battery, pre-flight 


With the exception of a bowed top cover and some discoloration/staining on the top cover and 
black Kapton (Figures B 3, B-4), the battery surprisingly escaped severe damage from the hard 
landing. Physical dimensions of the battery were measured and were found to be comparable to pre- 
flight measurements, with the exception ot height. This discrepancy is due to the bowing of the top 
cover. 
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The post-flight batten' weight of 1.810 kg indicated a decrease of about 250 grams compared to 
the as-built weight (ATLO batten' weight was 2.060 kg). Later procedures would show that this was 
due to loss of active materials from the cells due to venting. 

Battery voltages were measured at JPL and read 0.379 volts and 0.206 volts, lower than the last 
measurements taken at UTTR. This would indicate that (a) the batteries continued to discharge, 

(b) the internal impedance of the batteries increased, or (c) possibly more SO 2 was released from the 
individual cells after the first measurement. Battery isolation resistance was measured between the 
batten - terminals (through the electrical connector) and chassis; there was adequate isolation. 


There are four AD 590 temperature sensors on the battery, two on each side at diagonally 
opposing corners. The performance of all the sensors was measured using the circuit shown in 
Figure B-5. 


Figure B-5. Test circuit used to measure 
performance of temperature sensors 



A baseline measurement of current across the resistor was taken using a pristine sensor. All flight 
sensor temperature readings were consistent with the baseline measurement, validating the in-orbit 
temperature telemetry of the battery - . 

Three heater elements were located on the SRC battery - — one on each longitudinal side and one 
on the bottom. The heater elements on the sides were paralleled together and were used to heat the 
battery - prior to the depassivation process. The bottom heater element was used after the batteries 
were commanded to the EST to keep the battery at optimum operating range throughout the release 
and reentry - phase. The heater elements were purely resistive devices and were measured using an 
Agilent 34401 A 6-p digit multimeter. No short-circuit or open-circuit conditions were observed, and 
the resistance measurements were consistent with expected values. 

The battery was also inspected using a Fein focus x-ray to see the condition of the battery - inside 
the chassis. This tool could help determine whether any cell cases had been compromised either by 
venting or the hard impact. Having this information in hand would also help develop a safe 
disassembly procedure. Exposures were taken from sufficient angles to see if anything out of the 
ordinary could be detected. Results showed that the cells were intact but otherwise were inconclusive, 
i.e., the images did not reveal if any of the cells had vented. 
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B.1.2 Procedure 2: Top Cover Removal 

The ATLO batten' (i.e., one that had not been exposed to a flight environment) was opened first for 
comparison purposes. Figure B-6 shows the top of the ATLO batter)' underneath the cover and 
Kapton layers. The Eccofoam insulation looks pristine and has a pinkish color. By contrast, when 
the SRC batter)' top cover was removed, there was significant discoloration of the Eccofoam 
insulation, indicating exposure to excessively high temperatures (Figure B-7). The worst 
discoloration, almost black, was localized over the nickel cell interconnect tabs. This condition is 
consistent with high-rate discharge over a significant duration. 



Figure B-6. ATLO battery showing pristine Eccofoam insulation 



Figure B-7. SRC battery Eccofoam insulation 
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Pieces of the pyrolized foam were removed and revealed significant corrosion over the top of 
cells (Figure B-8). A piece of foam was tested to see how high a temperature would be required 
pyrolize it to a condition similar to the foam in the SRC batten-. The foam started discolorauon at 
140'C and showed significant discoloration at 200”C. 



Figure B-8. SRC battery cell tops 


Close inspection of the battery' revealed that one cell interconnect was broken — the connection 
from the positive of cell 4A to the negative of cell 3A. Cell 4A stands about a quarter ot an inch 
higher that the rest of the cells, possibly as a result of lifting from energetic venting. This would 
explain the broken interconnect. Areas under the interconnect tabs showed significant heat damage. 

B.1.3 Procedure 3: Battery Disassembly 

A complete disassembly of the battery' was undertaken. Careful attention was paid to see it any short 
circuit condition had occurred. The blocking diodes, the wires, and the connector were carefully 
inspected, but no short-circuit evidence was observed. There was a sign of discoloration on the 
outside package of the diode and the surrounding Eccofoam, but electrical testing showed that the 
diodes were still forward biased and showed the proper voltage drop. 

The cells were removed from the battery housing after all the interconnect tabs were cut. The 
cells showed significant corrosion at the bottoms, where the vent points were located, and also 
displayed significant heat damage underneath the cell interconnect tabs. Typical cell bottom and cell 
top photos are shown as Figures B-9 and B IO, respectively. Close inspection of the cells revealed 
that all cells had vented. 
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Figure B-9 (above left). Picture taken of a typical cell bottom (Cell 3A) after removal, illustrating the excessive corrosion 

evident due to the release of SO 2 

Figure B-10 (above right). Picture taken of a typical cell top (Cell 3A) after removal, illustrating charred area underneath 
cell tab; Kapton tape placed on cell top to provide cell orientation details 


After the cells were separated, they were individually X-rayed. Close inspection of the X-rays 
indicated that all the spiral plates inside the cells were still in place and appeared undamaged. No 
signs of internal short circuit could be seen. 

B.2 Fault T ree Analysis 

The fault with the most relevance to the battery analysis, “inadequate battery' voltage and power for 
avionics, or to fire ordnance,” has five major branches: 

1 . Excessive electrical loads 

2. Inadequate battery’ 

3. Mechanically damaged battery (cell leak, open circuit, short circuit) 

4. Battery' thermostat open on EDL 

5. Depassivation not complete 

The following paragraphs detail how these branches were closed out as noncontributors to the 
Genesis mishap. 

B.2.1 Excessive Electrical Loads 

Three possible scenarios were looked at for this branch of the tree. 

External Shorts Drained Battery’ 

A portion of the SRC harness bundle that included the battery' harness showed obvious signs of 
discoloration, suggesting burning or high-temperature exposure. Measurement of the positive and 
return pins at the battery 7 connector indicated that an electrical short existed. The harness was 
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removed and taken to the National Transportation Safety Board for further analysis (see 
Appendix C). Analysis indicates this is not credible. 

Battery Drained Before Entry — Excess Avionics Load 

The avionics loads were reviewed to see if they drained the batten,’ before the SRC entered the 
Earth’s atmosphere. There is no SRC current telemetry’ for the avionics load, so no direct 
measurement was available. However, reviewing the test results and using the mission simulation 
battery test results indicate excessive loads would be an unlikely cause. 

Deadface Issue Drained Battery 

The science payload canister in the SRC was controlled and powered through the spacecraft via an 
umbilical harness bundle. This umbilical interface was severed using a pyro-initiated bolt cutter prior 
to SRC release for entry and descent. For the most part, this interface was deadfaced to ensure no 
short circuit condition could affect either the spacecraft or the SRC. LMA performed a deadface 
analysis and concluded that cutting the umbilical interface did not affect the SRC battery’. The MIB 
initiated an independent analysis performed by Mitchell Davis of the Goddard Space Flight Center 
Electrical Systems Branch. His analysis concurred with the Lockheed finding that the SRC battery 
was isolated from the umbilical interface, such that any short circuit condition on this interlace could 
not possibly discharge it. 

B.2.2 Inadequate Battery 

Three different scenarios were looked at for this branch of the tree. 

Battery Drained Before Entry — Bad Power Model 

The power profile for the SRC was revisited. It was clear that there was ample margin in the battery’ 
to power the avionics and ordnance devices, even in worst-case conditions. The analysis shows that 
even at the worst-case 35% battery’ state -of-charge, either battery’ alone would still provide adequate 
current and ample voltage to fire the NSI for the drogue chute. For these reasons, this scenario was 
eliminated as a proximate cause. 

Battery Temperature Too Low for Required Current (In Flight) 

The USO 2 battery’ performance is optimal in a temperature range of 20 to 50 C. The SRC battery- 
had a heater to keep it within this range during entry and descent. In addition, the battery was heated 
to 50°C for the depassivation process. The battery thermal analysis predicted the battery’ temperature 
to be around 30°C at the time of drogue chute deployment. 

The battery heater was inspected during the battery investigation at JPL and was still operational, 
(i.e., neither shorted nor open circuit). The warm-up of the battery in preparation for the 
depassivation was nominal, and the battery temperature prior to umbilical cut was within 2 degrees of 
that predicted. The temperature strips in the capsule were evaluated, and recorded temperatures were 
within prediction. The devices were calibrated post-flight and were within 2 degrees of reference. 

This validates the thermal model for the thermal analysis of the capsule. Hence, this scenario was 
eliminated as a proximate cause. 
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Battery Stored at Too High Temperature (In Flight) 

During the early stages of the mission, after the SRC cover was opened, the batten- temperature 
started increasing and exceeded the flight- allowable temperature of 23°C. Over the 28-month 
mission, the battery 7 temperature continued to increase, reaching a maximum of 60.5 C (LiSO: cell 
degradation is greater at higher storage temperatures). 

An extensive ground-aging test was undertaken by Lockheed immediately after the anomalous 
battery temperature condition was observed. Several cells/packs of representative LiSCb cells were 
subjected to tests at different temperatures. Some followed mission profile plus 5, 10, and 15°C and 
some were tested at different constant temperatures up to 70"C. After the aging test, the cells and 
packs were subjected to depassivation and load profiles for entry and descent. All passed with ample 
margin except for the test pack, which was stored at a constant 70°C. To make sure that in-orbit 
temperature telemetry was valid, temperature sensors were tested and the results compared to data 
on a pristine sensor. The data compared favorably. 

B.2.3 Mechanically Damaged Battery 

Several ordnance events subjected the SRC to mechanical load environments prior to the drogue 
chute deployment. These include the spacecraft-to-SRC cable cut, the SRC hinge separation, and the 
SRC /spacecraft separation. In addition, the SRC needed to sustain reentry loads. A scenario is 
possible where battery 7 damage during one of these events could be sufficient to render the batteries 
unusable to power the avionics and ordnance devices. This failure mode was deemed noncredible 
based on the following: 

* The SRC battery 7 successfully passed all mechanical environmental qualification testing 
without deviations, including shock, random and axial acceleration. 

® Complete disassembly of the battery- did not reveal any signs of mechanical damage, with the 
exception of a broken cell interconnect tab on one battery. This broken interconnect could 
be attributed to the venting of the cell attached to the interconnect. It is highly likely that the 
tab broke when the cell vented, lifting this particular cell higher than the other cells in the 
battery-. There were no broken interconnect tabs on any of the other cells. 

B.2.4 Battery Thermostat Open on EDL 

One of the archive battery drawings shows thermostats on the return leg of each battery. If both 
thermostats opened during entry- and descent, no power would be available to the avionics unit and 
the ordnance devices. This failure mode was deemed noncredible based on the results of the battery 
X-ray inspection and disassembly. No thermostats were found on the batteries. 

B.2.5 Depassivation Not Complete 

Prior to release of the SRC, a 5-minute discharge of the batteries through a ~3-ohm load was 
performed to remove the passivation layer in the battery cells. At the conclusion of the discharge 
portion of the procedure, it was noted that the battery voltage was lower than expected, compared to 
ground test data. This raised the concern that insufficient removal of the passivation layer would not 
reduce the internal impedance of the battery- to a level that could cause a low-voltage output, 
inadequate to initiate the pyrotechnics system. 


63 


Genesis Failure Investigation Report 


Appendix B 



In-orbit depassivation data was compared to the ATLO batter}' depassivadon data and the 
voltages were very consistent. After the depassivadon process, the ATLO batten' was subjected to 
the SRC load profile, including simulated firing of ordnance, and showed adequate margin. All the 
ground-aging packs were also subjected to the 5-minute depassivadon process and the SRC load 
profile, and successfully passed, with the exception of the pack that was stored at a constant 70 C. 
All test data indicate ample batten' performance margin after a 5-minute depassivation. 

The lower-than-expected end of depassivadon voltage (as compared to ground test data) was 
determined to be a result of using a 10% higher value depassivation resistor in the ground test. A 
correction for the resistor value brought the nvo values within the expected range. 
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APPENDIX C: NATIONAL TRANSPORTATION SAFETY BOARD REPORT 


The report follows in its entirety. Numbering and formatting have not been altered to match the 
Genesis Failure Investigation R eport because only a password-locked pdf version of the NTSB report was 
available for our use. 
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NATIONAL TRANSPORTATION SAFETY BOARD 

Office of Research and Engineering 
Materials Laboratory Division 
Washington, D.C. 20594 

November 22, 2004 



MATERIALS LABORATORY FACTUAL REPORT 


Report No. 04-133 


A. ACCIDENT 


Place 
Date 
Vehicle 
NTSB No. 
Investigator 


: Dugway, Utah 
: September 8, 2004 
: Genesis Spacecraft 
: ENG04SA028 
: Clint Crookshanks, AS-40 


B. COMPONENTS EXAMINED 


Sample return capsule wiring harness and bolt catcher. 

C. DETAILS OF THE EXAMINATION 


An overall view of the submitted wiring harness and bolt catcher is shown in figure 1 
as the components were received in the NTSB Materials Laboratory. The harness is 
shown as packaged, supported by a dark gray foam. Damage areas are indicated by 
arrows “Area 1”, “Area 2” and “Area 3”. Damage Areas 2 and 3 were further supported with 
wood tongue depressors taped to the harness. Another view of damage Areas 1 , 2, and 3 
after removing the packing material is shown in figure 2. 

The submitted harness included a power cable that was connected to a battery at 
the battery connector indicated in figures 1 and 2. The power cable consisted of eight 
silver-coated copper strands with polyimide insulation (four colored yellow and four colored 
green). The cable was enclosed in a Kapton film and an aluminized Kapton film. The 
power cable was then wrapped in an aluminized Mylar wrap, as were any adjacent cables. 

Wiring Harness Visual Examination 

Four areas were identified where the aluminized Mylar wrap was damaged, and 
internal wires were exposed. The areas were numbered in order with increasing distance 
from the battery connector and are listed in table 1 . Views of each of the areas of damage 
are shown in figures 3 to 8. 
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Damage Areas 


Damage area number 

Distance from the base of the battery 
connector (inch) 

1 

8.5 

2 

13 

3 

15-17 

4 

34 


Area 1 


Closer views of the damage at Area 1 are shown in figures 3 and 4. The aluminized 
Mylar wrap was fractured and gaped open, revealing internal wires and cables. Charring, 
deformed power cable wrapping material, and missing power cable strand insulators were 
observed, indicative of heat damage. Bare wires of the power cable were visible as 
indicated in figure 4. 

Area 2 


A view of the damage at Area 2 is shown in figure 5. The aluminized Mylar wrap 
was charred black in this area. The shrink tubing on the exterior of the aluminized Mylar 
wrap (shown at the right in figure 5) was blackened and melted adjacent to this. A power 
cable wire melt bead was observed penetrating through the aluminized Mylar wrap as 
indicated by the arrow in figure 5. 

Area 3 


The regions of most severe damage in Area 3 were on approximately opposite sides 
of the harness and are shown in figures 6 and 7. The end of the damage area further from 
the battery connector is shown in figure 6, and the end closer to the battery connector is 
shown in figure 7. The aluminized Mylar wrap at the end further from the battery connector 
was fractured and gaped open as shown in figure 6. All eight of the power cable strands 
were either fractured or melted at this location. In addition, two adjacent strands with white 
insulators were fractured. Black deposits, charred insulators, and melted strands were 
observed in the area, consistent with exposure to heat. The shrink tubing on the exterior of 
the aluminized Mylar wrap adjacent to the area (shown at the left in figure 6) was 
blackened, partially melted, and opened back away from the damage at Area 3. At the end 
of Area 3 closer to the battery connector as shown in figure 7, the aluminized Mylar was 
gaped open, exposing the power cable. The insulators for the power cable were charred 
consistent with exposure to heat. 

Area 4 


A close view of the damage at Area 4 is shown in figure 8. The aluminized Mylar 
was fractured and gaped slightly open. None of the underlying strand insulators for the 
power cable were penetrated, and no heat damage was observed. An irregular-shaped 
piece of white debris measuring 100 micrometers across was observed in this area. The 
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piece was examined in a scanning electron microscope using energy dispersive x-ray 
spectroscopy (EDS), and the resulting spectrum showed high peaks of gallium and zinc. 

Wiring Harness Disassembly 

The aluminized Mylar and aluminized Kapton were removed from the power cable 
where possible. As these wraps were removed near Area 1, a portion of the power cable 
with the battery connector separated from the remainder of the harness. The separated 
piece is shown in figure 9. 

As the aluminized Mylar was removed further, charred and separated remnants of 
the power cable were exposed in the section between Areas 1 and 3. A view of the 
harness in this area with the largest of the exposed power cable remnants is shown in 
figure 10. 

The aluminized Mylar in the section shown in figure 10 showed evidence of charring 
and heating and tore more easily than in other sections. Also, the shrink tubing in this area 
was stiffer than the tubing in other areas. 

Post-Disassembly Wiring Harness Examination 

Battery Connector to Area 1 

A view of the damaged end of the power cable piece attached to the battery 
connector is shown in figurel 1 . No heat damage was noted directly adjacent to the battery 
connector and up to a distance of about 3.3 inches from the connector. Starting at a 
distance of 3.3 inches from the base of the battery connector, the Kapton film around the 
power cable strands was shrunk onto the strands. Starting at a distance of 5.4 inches from 
the base of the battery connector, the aluminized Kapton was fused to the underlying 
Kapton film. Starting at a distance of 8.3 inches from the base of the battery connector, the 
power cable strand insulators were mostly missing, and bare wires were exposed. The 
strands on this piece of the power cable were fractured or melted 9.8 to 10.3 inches from 
the base of the battery connector. A closer view of the ends of the power cable piece at 
this location is shown in figure 12. Several of the fractured and melted ends are shown in 
figure 13 as viewed using scanning electron microscopy (SEM). As shown in figures 12 
and 13, the power cable strand ends were rounded, individual wires within a strand were 
fused, and irregular thinning was observed consistent with melting. Where fractured, 
significant thinning of the strand was observed adjacent to the fracture, consistent with 
fracture at high temperature. 

Area 1 to Area 3 

The power cable between Area 1 and Area 3 was charred, and the strands showed 
evidence of melting. Many partially melted strand fragments and charred insulation 
fragments were present in this area. Strands in the harness adjacent to the power cable 
were also slightly charred and had black deposits on their surfaces. One charred section of 
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the power cable in this area remained relatively intact as shown in figure 14. This section 
was held together by the aluminized mylar wrap. 

Area 3 


A view of the harness at Area 3 after removal of the shrink tubing, aluminized Mylar, 
and aluminized Kapton is shown in figure 14. The power cable Kapton film showed 
charring and heat damage within 0.2 to 0.3 inches of the fractured or melted ends of the 
power cable strands. Also, two of the adjacent strands with white insulation showed heat 
damage and slight charring within 0.2 inches of their fractured ends. Black fibrous deposits 
also were observed throughout the area, visible in many of the close views of strands in 
this section. 

A closer view of the damage in Area 3 is shown in figure 16. As indicated in figure 
16, the Kapton sleeve for a strand adjacent to the power cable was fractured and pushed 
back in the direction of the battery connector, consistent with contact with another object. 
The Kapton sleeve also was charred, consistent with exposure to heat, and the charring 
was not continuous across the mating sides of the fracture, indicating the charring occurred 
after the fracture. The fractured ends of two white strands indicated in figure 16 were bent 
inward, also consistent with contact with another object. These fractured strands mated 
with the two white strands labeled in figure 1 5. 

The strands that were either fractured or melted in Area 3 were numbered for 
reference. The two fractured strands with white insulation adjacent to the power cable 
were numbered arbitrarily as shown in figure 15. The power cable strands were numbered 
such that green strands were assigned an odd number, and yellow strands were assigned 
an even number. Close views of each of these strands are shown in figures 17 to 20 and 
figures 23 to 35. 

The fractured ends of white strands 1 and 2 are shown in figures 17 to 20. 
Approximately 0.06 inch of bare wire was exposed on each strand. The fractured ends of 
the strands were bent and flattened, and individual wires were sheared consistent with 
contact with another object. On white strand 1, several wires were inadvertently bent 
outward during disassembly of the aluminized Mylar and aluminized Kapton. On both 
strands, the adjacent insulator was charred. Black deposits were observed on the strand. 
In areas where the deposits were not present, the wires had a light brown color. Using 
energy dispersive x-ray spectroscopy (EDS), a typical spectrum of the white strand 
insulator material was obtained and is shown in figure 21 . The spectrum showed a high 
peak of fluorine and much smaller peaks of titanium and carbon. A typical EDS spectrum 
for the black deposits on the bare end of white strand 2 is shown in figure 22. The deposits 
had a high peak of carbon with smaller peaks of oxygen, fluorine, and silicon. A silver peak 
also was observed, consistent with the coating on the underlying wire material. 

Views of power cable strand 1 are shown in figures 23 and 24. The fractured end of 
the strand came to a chisel-like point, and each strand was sheared consistent with contact 
with another object. The exposed strand had black deposits, and the adjacent insulator 
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was charred. Black fibrous deposits also were observed in the area. The insulator and 
several wires of this strand also were fractured at a location 0.24 inch from the fractured 
end of the strand (not visible in figures 23 and 24). The fractured wires were deformed 
consistent with contact with another object. 

Power cable strand 2 is shown in figure 25. This fracture was located furthest from 
the battery connector among the eight power cable strand fractures. The individual wires of 
strand 2 had a chisel-like fracture consistent with an overstress fracture in tension. The 
end of the strand appeared light brown, darker than the exposed strand adjacent to the 
insulator. No insulator charring was observed on this strand at this location. 

Views of power cable strand 3 are shown in figures 26 and 27. The strand was 
fractured with some wires sheared and others showing necking consistent with overstress 
fracture in tension. The ends of the exposed bare strand had black deposits, and in areas 
where the black deposits were not present, the ends appeared light brown. The strand had 
a more shiny silver appearance adjacent to the insulator. The insulator adjacent to the 
bare strand was charred. Black fibrous deposits also were observed in the area. 

Views of power cable strand 4 are shown in figures 26 and 28. The strand end was 
bent and individual wires were sheared, consistent with contact with another object. Some 
charring was observed on the insulator adjacent to the bare strand, and where the insulator 
was charred, the exposed strand was tinted slightly brown mixed with some black deposits. 

Views of power cable strand 5 are shown in figures 29 and 30. The strand end was 
bent and individual wires were sheared, consistent with contact with another object. Black 
deposits were observed on the fractured ends, and where deposits were not present, the 
strands had a light brown color. The insulator adjacent to the exposed bare strand was 
charred. Black fibrous deposits also were observed in the area. 

Views of power cable strand 6 are shown in figures 31 and 32. The wires of the 
strand end were flattened, bent, and sheared, consistent with contact with another object. 
The insulator adjacent to the bare strand was discolored slightly brown. 

Views of power cable strand 7 are shown in figures 33 and 34. Several wires at the 
end of this strand were melted into a ball and the ball was oriented at an angle relative to 
the strand. Several other wires were melted together with an irregular melt shape. The 
insulator adjacent to the bare strand was charred. 

Views of the power cable strand 8 are shown in figures 33 and 35. Individual wires 
were fused into a single melt ball and the melt ball was oriented at an angle relative to the 
strand in approximately the same direction as the melt ball of strand 7. The insulator 
adjacent to the bare strand was charred. 

The EDS spectra for the green and yellow power cable strand insulators are shown 
in figure 36. Both insulator colors had a high peak of carbon and a smaller peak of oxygen. 
One color also had a peak of titanium. 
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An EDS spectrum for undamaged shrink tubing is shown in figure 37. High peaks of 
carbon and fluorine were observed with smaller peaks of oxygen, aluminum, silicon, and 
potassium. A black portion of the charred shrink tubing located at Area 3 also was 
examined using EDS, and the resulting spectrum is shown in figure 38. Peaks of carbon 
and oxygen were observed in similar ratios to that of the undamaged shrink tubing, but the 
fluorine peak was substantially smaller. 

Bolt Catcher Examination 


An area of the bolt catcher had black deposits on its surface. A close view of this 
area of the bolt catcher is shown in figure 39. The flats at the base of the bolt catcher were 
damaged consistent with wrench contact, which occurred during disassembly of the bolt 
catcher after recovery. 

The deposits on the bolt catcher were examined using SEM and EDS. An SEM view 
using backscattered electrons is shown in figure 40. The deposits appeared mostly darker 
than the underlying bolt catcher material, but some areas appeared brighter. Most of the 
brighter areas were round with diameters ranging from less than a micrometer to several 
micrometers. 

An EDS spectrum of the bolt catcher is shown in figure 41. The bolt catcher had a 
high peak of aluminum and much smaller peaks of chromium and carbon. 

An EDS spectrum of the black deposits on the bolt catcher is shown in figure 42. 
This spectrum had high peaks of silicon, carbon, and aluminum with smaller peaks of 
fluorine and oxygen and much smaller peaks of sulfur and chromium. 

An EDS spectrum of the deposits appearing round and white in figure 40 is shown in 
figure 43. The spectrum had high peaks of copper with much smaller peaks of silver and 
carbon. 

Irregular-shaped deposits appearing lighter on the surface of the bolt catcher also 
were examined using EDS. The spectra for these deposits had high peaks of gallium and 
zinc. 


Matthew R. Fox 
Senior Materials Engineer 
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Image No.:0411A00200, Project No.: 2004110004 


Figure 1. Overall view of the as-received wiring harness and 
bolt catcher. Wrap disturbance at areas 1 to 3 are indicated. 
Also, a splice consisting of wood tongue depressors for 
stabilization during shipping is indicated. 



Figure 2. Another view of the harness at areas 1 to 3 with 
the packaging material removed. 





To battery 
connector 


gyL..„ 



To battery 
connector 


Report No. 04-133 
Page No. 9 


Image No.:0411A00204, Project No.: 2004110004 

Figure 6. Close view of the damage at area 3. The 
unlabeled arrow indicates the direction of viewing for figure 
7. 


Figure 5. Close view of the damage at Area 2. An 
unlabeled arrow indicates where a melt bead penetrated the 
aluminized Mylar wrap. 


Image No.:0411A00206, Project No.: 2004110004 
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Image No.:0411A00207, Project No.: 2004110004 


Figure 7. Damage at area 3 adjacent to the damage shown 
in figure 6 located closer to the battery connector. The 
unlabeled arrow indicates the direction of viewing for figure 
6 . 



Figure 8. View of the damage at area 4. 






Figure 9. View of the battery connector and power cable 
after removal of the outer aluminized Mylar wrap. The cable 
strands were melted and fractured in the vicinity of Area 1 . 
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Image No.:0411A00255, Project No.: 2004110004 


Figure 1 1 . Closer view of the damaged end of the power 
cable piece shown in figure 9. 



Image No.:041 1 A00242, Project No.: 2004110004 


Figure 12. Closer view of the melted and fractured strands 
of the power cable piece shown in figure 1 1 . 
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Image No.:0411A00291, Project No.: 2004110004 


Figure 14. Closer view of the power cable remnant from 
between areas 1 and 3 (also shown in figure 10). 


Image No.:0411A00663, Project No.: 2004110004 


Figure 13. Strands from the power cable near Area 1 as viewed using 
SEM. 
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Image No.:0411A00295, Project No.: 2004110004 


Figure 1 5. Close view of the damage at area 3 after removal 
of the outer aluminized Mylar wrap. 



Figure 16. Close view of the damage in area 3 showing the 
bent mating ends of white strands 1 and 2. Damage to the 
Kapton sleeve of an adjacent strand also is indicated in the 
figure. 
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Image No.:0411A00568, Project No.: 2004110004 


Figure 17. Close view of white strand 1 in Area 3. Several 
strands were bent during the wrap removal process. 



Image No.:0411A00569, Project No.: 2004110004 

Figure 18. Close view of white strand 2 in Area 3. 
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Image No.:0411A00671, Project No.: 2004110004 

Figure 19. SEM view of white strand 1 at Area 3. 



Image No.:0411A00672, Project No.: 2004110004 


Figure 20. SEM view of white strand 2 at Area 3. 
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Image No.:0411A00690, Project No.: 2004110004 


Figure 21. EDS spectrum for the white strand insulator adjacent to the power 
cable. 



Figure 22. EDS spectrum for black deposits on the exposed white strand at Area 
3. 
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Image No.:0411A00572, Project No.: 2004110004 

Figure 23. Close view of power cable strand 1 in Area 3. 
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Image No.:0411A00675, Project No.: 2004110004 


Figure 24. SEM view of power cable strand 1 at Area 
3. 
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Image No.:0411A00576, Project No.: 2004110004 

Figure 25. Close view of power cable strand 2 in area 3. 
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Figure 26. Close view of power cable strands 3 and 4 in 
Area 3. 
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Figure 29. View of power cable strand 5 in Area 3. 



Image No.:0411A00678, Project No.: 2004110004 


Figure 30. SEM view of power cable strand 5 at Area 3. 
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Image No.:0411A00739, Project No.: 2004110004 
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Figure 33. Close view of power cable strands 7 and 8 in 
Area 3. 



Image No.:0411A00683, Project No.: 2004110004 

Figure 34. SEM view of power cable strand 7 at Area 3. 
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Image No.:0411A00681, Project No.: 2004110004 

Figure 35. SEM view of power cable strand 8 at Area 
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Image No.:0411A00688, Project No.: 2004110004 
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Image No.:0411A00689, Project No.: 2004110004 


Figure 36. EDS spectra for the yellow and green power cable strand insulators. 
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Image No.:041 1 A00699, Project No.: 2004110004 

Figure 37. EDS spectrum for undamaged shrink tubing. 


Image No.:0411A00698, Project No.: 2004110004 

Figure 38. EDS spectrum for a blackened area of shrink tubing. 
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image No.:0411A00319, Project No.: 2004110004 

Figure 39. Close view of deposits on the bolt catcher. 



Image No.:0411A00648, Project No.: 2004110004 


Figure 40. SEM view of deposits on the bolt catcher as 
viewed using backscattered electrons. 
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Figure 41 . EDS spectrum of the bolt catcher. 
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Figure 42. EDS spectrum of black deposits on the bolt catcher. 
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Image No.:0411A00687, Project No.: 2004110004 


Figure 43. EDS spectrum of deposits appearing round and white using SEM with 
backscattered electrons. 
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Appendix D: Implementation of "Faster, Better, Cheaper" 

The “faster, better, cheaper (FBC) concept, which was part of the basic NASA mission philosophy, 
was intended to increase the number of experimental missions. Instead of one ‘big’ billion-dollar 
experiment, NASA could launch a series of smaller cost missions (e.g., —$200-250 million each), all 
within a fixed annual budget. It was recognized that the risk of mission success would increase, but 
with the hope that by using contractors, proven processes, hardware, and software the risks would be 
minimized. Some NASA leaders even felt that four out of five successes was better than one huge 
failure. Unfortunately, FBC became synonymous with “fixed-price” or “cost-capped.” With science 
scope determined early in the project, and with fixed launch windows (fixed schedule), risk was the 
only variable the project team had to trade to maintain a fixed cost and schedule. 

This concept had negligible impact on JPL, but significantly increased LMA programmatic risks. 
The FBC concept “caps” the contract value. As JPL is not a profit and loss (P&L) center, and 
assuming the JPL project management team and processes are adequate, the impact of FBC would 
be negligible. For LMA, on the other hand, FBC increases program risks, since: 

* Cost is capped, meaning profits are decreased as programmatic issues develop — cost growth 
could occur to the point that profit potential diminishes, forcing LMA to reduce program 
personnel, reduce/eliminate tests, etc., all of which increase the risk of program failure. 

* Schedule is most often fixed, as the FBC Discovert' Programs are usually planned to meet a 
solar launch window where failure to meet this window would mean a launch delay of 1 8 to 
24 months. Essentially, this means mission failure because the cost cap would be broken, 
causing cancellation of the mission. 

Thus LMA, a profit-making contractor, was faced with fixed costs for a development program 
and a firm a launch schedule (later relaxed). With a fixed cost and fixed schedule, and maintaining a 
given mission success risk level, a performance trade would have to occur whenever cost or schedule 
risks required reserves beyond those available. But performance trades generally mean some redesign 
and/or retest, which increases the cost and impact to the schedule. Therefore, the only real viable 
remaining to trade was mission success, i.e., risk. Both JPL and LMA, at the Project Manager level, 
believed strongly that if they exceeded the costs, the program would be cancelled. 

This mission was selected with only 19% margin at confirmation and only 12% at CDR. All 
involved (NASA, JPL, and LMA) were convinced that because of the assumed heritage design, this 
was an acceptable position. However, once heritage was broken and design issues arose, there was 
only one place for monies to be found — the contractor’s profits — which they gave up by increasing 
the risks of mission success to meet the cost-capped mission. Later, due to a launch slip and NASA- 
mandated changes, the contractor and project were able to request more money and reinstate a profit 
for LMA. 

The current FBC criteria with a cost cap, fixed deliver) 7 schedule, and a fairly firm scientific 
performance package increases the risk of program failure due to the need of the profit-and-loss 
contractor to make a profit. With fixed budget and schedules, as program issues increase, the profit- 
and-loss contractor reduces personnel, systems engineering oversight, checks and balances, and 
testing to try to make a profit and avoid program termination. 
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APPENDIX E: EVENT TIMELINE 


TCM-12 

TCM-11 E-28H 



Figure E-1 . Nominal timeline of post-entry events 


Table E-la. Detailed Timeline of Actual Events, Wednesday, Day of Year 252 


UTC-d.hr.m.s 

MDT-d.hr.m.s 

E-hrs:m:s 

Description of Event 

Source of Data 

09/08 15:52:47 

09/08 09:52:47 

00:00 

ENTRY, 125 km EIP 

Mission logs 

09/08 15:58:52 

09/08 09:58:52 

+00:06:05 

IMPACT, Mach 0.17 

Range camera 

09/08 15:59:08 

09/08 09:59:08 

+00:06:21 

SRC main chute should deploy (22,000 ft). 

- 

09/08 15:59 

09/08 09:59 

+00:06 

Ground impact reported to recovery helicopters, range 
8 nautical miles. 

Video, witness 
statements and loqs 

09/08 16:05 

09/08 10:05 

+00:12 

Helicopter formation arrives and circles to view site. 

Video, witness 
statements and loqs 

09/08 16:13 

09/08 10:13 

+00:20 

Oscar does "ground sink test" because of recent rains. 

Video, witness 
statements and loqs 

09/08 16:14 

09/08 10:14 

+00:21 

Oscar, Vertigo, and South Coast recovery helicopters land. 

Video, witness 
statements and loqs 

09/08 16:15 

09/08 10:15 

+00:22 

1 st Oscar crew arrival. Recovery Team lead exits helo and 
drops “something” - may be SO 2 monitor. 

Video 

09/08 16:15 

09/08 10:15 

+00:22 

Recovery team lead approached SRC from upwind to 
—100 ft; checked that SO 2 monitor is on and exposed; 
removed camera from equipment bag. 

Witness statements 
and logs 

09/08 16:17 

09/08 10:17 

+00:24 

Recovery team Lead confirmed that DACS separation bolts 
Droque mortar are unfired. Stays clear of mortar 30-degree 
exclusion zone. 

Video, witness 
statements and logs 
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UTC-d.hr.m.s 

MDT-d.hr.m.s 

E-hrs:m:s 

Description of Event 

Source of Data 

09/08 16:18 

09/08 10:18 

+00:25 

Recovery team lead informed TTR Range On-Scene 
Commander of unfired ordnance; established verbal keep- 
out zone on +X side of SRC. 

Witness statements 
and logs 

09/08 16:20 

09/08 10:20 

+00:27 

Vertigo Director of Flight Operations (DFO) talks with 
recovery team lead, then gestures to other Vertigo crew to 
1 ) come over here, 2) put on mask. Vertigo crew dons mask 
in “Cautk>n03' video frame. 

Video, witness 
statements and logs 

09/08 16:22 

09/08 10:22 

+00:29 

Vertigo payload master, with mask, walks around SRC with 
SO 2 monitor. 

Video, witness 
statements and logs 

09/08 16:22 

09/08 10:22 

+00:29 

Vertigo payload master doffs mask. 

- 

09/08 16:22 

09/08 10:22 

+00:29 

Recovery team lead approaches SRC for close-up view of 
canister breach. 

Video, witness 
statements and logs 

09/08 16:22 

09/08 10:22 

+00:29 

Gap of up to 3 inches allowed view of underside of one array 
isogrid. 

Video, witness 
statements and logs 

09/08 16:23 

09/08 10:23 

+00:30 

Remainder of Vertigo/South Coast crew walks over to meet 
Oscar crew: video is being taken by Vertigo/South Coast 
crew. 

Video, witness 
statements and logs 

09/08 16:25 

09/08 10:25 

+00:32 

One Vertigo/South Coast crewmember walks up to SRC with 
video camera and crosses ‘mortar ordnance 30-degree 
exclusion zone." Vertigo DFO calls him away from exclusion 
zone and Vertigo crewmember crosses back across 
exclusion zone. 

video 

09/08 16:26 

09/08 10:26 

+00:34 

Oscar returns with more personnel. 

Video, witness 
statements and logs 

09/08 16:31 

09/08 10:31 

+00:39 

First arrival of personnel from ground support team (GST1). 

Video, witness 
statements and logs 

09/08 16:34 

09/08 10:34 

+00:41 

LMA Parachute Certified Product Engineer (PCPE) 
approaches SRC with SO 2 monitor (yellow) and places it on 
the upwind ground side of SRC. 

Video, witness 
statements and logs 

09/08 16:35 

09/08 10:35 

+00:42 

LMA PCPE returns to SRC and moves SO 2 monitor (yellow) 
to opposite ground side of SRC (downwind) SO 2 monitor 
sounds alarm while he is holding the monitor He drops it on 
the ground and quickly moves away. 

Video, witness 
statements and logs 

09/08 16:38 

09/08 10:38 

+00:45 

Second arrival of personnel from GST 1 . JPL Environmental, 
Health and Safety Office personnel signals everyone to get 
back (A# crews are cleared to -200 feet upwind.) Wind sock 
is installed. 

Video, witness 
statements and logs 

09/08 16:37 

09/08 10:37 

+00:45 

OSCAR helicopter lifts off to return to Dugway to ferry 
recovery team to landing site. 

Video, witness 
statements and logs 

09/08 16:37 

09/08 10:37 

+00:44 

Recovery Team A leaves B1012 for Dugway hanger to 
board Oscar. 

Witness Statements, 
Witness logs 

09/08 16:45 

09/08 10:45 

+00:52 

Recovery Team B leaves B1012 for impact site in UTTR 
vehicles with UTTR drivers (JPL QA, JSC Curation, Genesis 
PI, LMA Environmental Engineer, JPL Systems Safety 
Engineer.) In accordance with approved contingency 
procedures SO 2 monitors and SCBA were earned on board 
to safe area. Also on board were curation tods. 

Witness Statements, 
Witness logs 

09/08 16:51 

09/08 10:51 

+00:58 

Vertigo and South Coast helicopters depart for MAAF. 

Video, witness 
statements and logs 

09/08 16:55 

09/08 10:55 

+01:02 

Recovery team Lead departs scene with UTTR interface and 
GST 1 ; UTTR On-Scene Commander and security detail 
remain to secure site for arrival of contingency response 
crews. 

Witness Statements, 
Witness logs 

09/08 16:55 

09/08 10:55 

+01:02 

Recovery Team A boards Oscar but is directed to debark 
and go to a meetinq in Kuddes. 

Witness Statements, 
Witness logs 

09/08 17:00 

09/0811:00 

+01:07 

Meeting starts in Kuddes. 

Witness Statements, 
Witness logs 

09/08 17:15 

09/0811:15 

+01:22 

After driving for approximately 30 minutes. Team B was 
intercepted by UTTR Interface who informed them that they 
were to turn around and qo back to MAAF. 

Witness Statements, 
Witness logs 

09/08 17:50 

09/0811:50 

+01:57 

Ground support group arrives at MAAF. 

Witness Statements, 
Witness logs 
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09/08 17:50 

09/08 11:50 

+01:57 

Meeting completed at Kuddes. 

Witness Statements, 
Witness logs 

09/08 18:00 

09/0812:00 

+02:07 

Press conference in MAAF hangar. 

Witness Statements, 
Witness loqs 

09/08 18:35 

09/08 12:35 

+02:42 

Recovery team A departs on Oscar (LMA SRC Mechanical 
Lead, LMA Test Conductor, JSC Curation Lead, LMA 
Logistics, 3 LMA techs, LMA QA, JPL Canister Mechanical 
Lead, LMA Systems Safety). Recovery Team 'A' discusses 
plan of operations to be conducted when landed. Safety 
considerations are discussed in light of the live ordnance 
and battery condition. 

Witness Statements, 
Witness logs 

09/08 18:53 

09/08 12:53 

+03:00 

Recovery team ‘A' lands at SRC impact site. Team unloads 
equipment consisting of SO 2 monitors, pyro safing 
hardware, water, saws, flashlights, scissors, shovels, VOMs, 
tape, curation tools, JSC contingency kits, etc. Pools of 
water near impact site mean SRC could be wet. LMA 
systems safety engineer performs sniff test of area and then 
closer to SRC No presence of SO 2 gas detected. 

LMA GN_1R11 Work- 

authorizing 

documentation 

09/08 19:00 

09/08 13:00 

+03:07 

Close inspection of SRC to verify that no pyros fired. Crew 
stays away from front of DACS mortar tube. 

LMA GNJR11 Work- 

authorizing 

documentation 

09/08 19:36 

09/08 13:36 

+03:43 

DACS removed and secured, DACS safed while ail 
personnel remained clear of front of mortar tube. Battery 
cables cut to remove power to pyros. All cabling to pyros cut 
on DACS and secured with Faraday cage (wires twisted and 
shorted): North side first then South. DACS lifted and placed 
on ground, facing down. Photos taken of inside of DACS 
and parafoil bag. Parachute risers cut from deck. DACS 
lifted and placed on ESD smock, photos taken. 

LMAGNJR11 Work- 

authonzing 

documentation 

09/08 20:37 

09/08 14:37 

+04:44 

Canister was pinching underside of backshell, needed to 
separate to remove. Cut strands of blanket on both sides 
and along seam. Severed cable on parachute deck - north 
side. Cut seal on south side. Removed half of backshell from 
impact hole, De-mated canister connecter and covered with 
faraday cage. Removed heat shield by saw cutting south 
end and cutting cables on north end. 

LMA GN_1R11 Work- 

authonzing 

documentation 

09/08 20:53 

09/08 14:53 

+05:00 

Heatshield lifted out of hole and set on ESD smock 

LMA GNJR11 Work- 

authorizing 

documentation 

09/08 21:00 

09/08 15:00 

+05:07 

SRC battery disconnected. Avionics box taken off and 
labeled. Concentrator electronics boxes removed. 

LMA GNJR11 Work- 

authorizing 

documentation 

09/08 21:45 

09/08 15:45 

+05:52 

Decision made to transfer canister to Bldg. 1012 in Oscar. 
Canister wrapped in tarp for transport. 

LMAGNJR11 Work- 

authorizing 

documentation 

09/08 22:00 

09/08 16:00 

+06:07 

Telecon and update in Avery, Bldg. 1010. Press allowed to 
see film of SRC at impact site. Recovery team lead received 
clearance of the initial assessment photos of SRC (14 
photos). SRC battery voltage checks: -3 V open circuit. 

LMA GN_1R11 Work- 

authorizing 

documentation 

09/08 22:04 

09/08 16:04 

+06:11 

Payload canister lifted out of impact hole. 

LMAGNJR11 Work- 

authorizing 

documentation 

09/08 22:24 

09/08 16:24 

+06:31 

SRC parts loaded onto Mudpuppy. 

LMAGNJR11 Work- 

authorizing 

documentation 
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Table E-lb. Detailed Timeline of Actual Events, Thursday, Day of Year 253 


UTC-d.hr.m.s 

MDT-d.hr.m.s 

E-hrs:m:s 

Description of Event 

Source of Data 

09/08 23:05 

09/08 17:05 

+07:12 

Payload canister placed on Oscar helicopter for transport 
back to Avery hanger. Accompanied by JPL canister 
mechanical lead engineer and LMA crew. Backshell and 
DACS returned by Mudpuppy and transferred to pick-ups. 

LMAGNJR11 Work- 

authorizing 

documentation 

09/08 23:05 

09/08 17:05 

+07:12 

Backshell and DACS returned by Mudpuppy and transferred 
to pick-ups. 

LMA GN_1R11 Work- 

authorizing 

documentation 

09/09 00:25 

09/08 18:25 

+08:32 

OSCAR returns to Avery hanger with team and payload 
canister. Canister placed on heatshield transport cart and 
then transported by forklift to Bldq. 1012. 

LMAGNJR11 Work- 

authorizing 

documentation 

09/09 00:30 

09/08 18:30 

+08:37 

Payload canister delivered to Avery Complex Bldg. 1012 
high bay. 

LMA GNJR11 Work- 

authorizing 

documentation 

09/09 00:40 

09/08 18:40 

+08:47 

SRC heat shield and backshell and miscellaneous pieces 
arrive at Bldg 1012 and are unloaded in north end. 

LMA GN_1R11 Work- 

authorizing 

documentation 

09/09 01:00 

09/08 19:00 

+09:07 

Canister remnants unwrapped in the high bay outside of the 
clean room. “Bumf odor permeates from the wreckage. 

LMA GNJR11 Work- 

authorizing 

documentation 

09/09 01:00 

09/08 19:00 

+09:07 

SRC battery checks: #1 = 2.794 Vdc; #2 = 0.189 Vdc 

LMA GN_1R11 Work- 

authorizing 

documentation 

09/09 01:05 

09/08 19:05 

+09:12 

Field recovery crew secures intermediate landing tarp over 
impact site to return in AM. Remains of SRC secured in tarp. 
All gear and samples loaded on Mudpuppy and then 
transferred to road vehicles (pick-ups). 

LMA GNJR11 Work- 

authorizing 

documentation 

09/09 01:45 

09/08 19:45 

+09:52 

Pushed canister into the dean room after JSC deans off 
mud and dirt. 

LMA GN_1R11 Work- 

authorizing 

documentation 

09/09 01:55 

09/08 19:55 

+10:02 

Recovery team members who secured site arrive at Bldg. 
1012. 

LMA GNJR11 Work- 

authorizing 

documentation 

09/09 02:05 

09/0820:05 

+10:12 

Debrief in Bldg. 1012. 

Witness Statements, 
Witness logs 

09/09 03:20 

09/08 21:20 

+11:27 

Secure High Bay, B1012. 

LMA GNJR11 Work- 

authorizing 

documentation 

09/09 17:30 

09/0911:30 

+25:37 

Another team heads out to the crash site to further 
document (written and photo) and attempt to retrieve 
additional hardware and sdence. 

Witness Statements, 
Witness logs 

09/09 19:20 

09/09 13:20 

+27:27 

LMA shorts redundant pyro leads on DACS ordnance. 

LMA GNJR11 Work- 

authorizing 

documentation 

09/09 19:50 

09/09 13:50 

+27:57 

Battery voltage checks: #1 = 2.91 1 Vdc; #2 = 0.128 Vdc 

LMA GN_1R11 Work- 

authorizing 

documentation 

09/09 22:41 

09/09 16:41 

+30:48 

Removed gold thermal blanket from SRC. Cut single-string 
attachment at comer. 

LMA GN_1R11 Work- 

authorizing 

documentation 
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Table E-lc. Detailed Timeline of Actual Events, Friday, Day of Year 254 


UTC-d.hr.m.s 

MDT-d.hr.m.s 

E-hrs:m:s 

Description of Event 

Source of Data 

09/10 00:30 

09/09 18:30 

+32:37 

Nine 5-gallon buckets of hardware material, collected at the 
crash site, brought into the Bldg. 1012 high bay by the field 
team. 

LMA GNJR11 Work- 

authorizing 

documentation 

09/10 16:00 

09/10 10:00 

+48:07 

Intermediate landing tarp that was used to wrap-up smaller 
pieces of damaged SRC and canister hardware opened-up 
in the Impound Area of the Bldg. 1012 high bay. Large and 
small pieces of the SRC, canister, and collector hardware 
are revealed. JSC sorts through the debris for science 
collectors per JSC procedures. 

LMA GN_1R11 Work- 

authorizing 

documentation 

09/10 16:30 

09/1010:30 

+48:37 

LM begins inventory of SRC components per Flag Sheet #1 , 
PIRS# AP9926. JPL performs inventory of canister hardware 
per AIDS# 2031 80. All inventory operations occur in Bldg. 
1012 in the Impound Area. 

LMA GN.1R11 Work- 

authorizing 

documentation 

09/10 19:30 

09/10 13:30 

+51:37 

SRC battery checks: #1 = 2.414 & 2.418 Vdc; 
#2 - 0.143 Vdc. 

LMAGNJR11 Work- 

authorizing 

documentation 

Table E-Id. Detailed Timeline of Actual Events, Saturday, Day of Year 255 

UTC-d.hr.m.s 

MDT-d.hr.m.s 

E-hrs:m:s 

Description of Event 

Source of Data 

09/11 22:20 

09/11 16:20 

+78:27 

Removed lid-foil hub, with portion of a lid-foil attached, from 
the backshell by removing 4 fasteners and 4 washers. 

LMA GNJR11 Work- 

authorizing 

documentation 

Table E-le. Detailed Timeline of Actual Events, Monday, Day of Year 257 

UTC-d.hr.m.s 

MDT-d.hr.m.s 

E-hrs:m:s 

Description of Event 

Source of Data 

09/13 16:30 

09/13 10:30 

+120:37 

Removed SRC Avionics Box A thermal cover by removing 1 
fastener and 1 thermal washer— submitted to JSC curation 
for storage and emissivity testing. 

LMAGNJR11 Work- 

authorizing 

documentation 

09/13 21:45 

09/1315:45 

+125:52 

SRC battery checks: #1 = 1.061 & 1.002 Vdc; 
#2 = 0.1 20 Vdc. 

LMA GN_1R11 Work- 

authorizing 

documentation 


Table E-lf. Detailed Timeline of Actual Events, Tuesday, Day of Year 258 


UTC-d.hr.m.s 

MDT-d.hr.m.s 

E-hrs:m:s 

Description of Event 

Source of Data 

09/14 21:18 

09/1415:18 

+149:25 

SRC battery checks: #1 = 0.806 & 0.808 Vdc; 
#2 = 0.087 Vdc. 

LMA GNJR11 Work- 

authorizing 

documentation 


Table E-lg. Detailed Timeline of Actual Events, Wednesday, Day of Year 259 


UTC-d.hr.m.s 

MDT-d.hr.m.s 

E-hrs:m:s 

Description of Event 

Source of Data 

09/15 21:34 

09/1515:34 

+173:41 

SRC battery checks: #1 □ 0.867 & 0.869 Vdc; #2 = 0.100 
Vdc. 

LMA GNJR11 Work- 

authorizing 

documentation 

09/15 22:00 

09/15 16:00 

+174:07 

SRC battery checks; #1 = 0.874 Vdc; #2 = 0.101 Vdc. 

LMA GN.1R11 Work- 

authorizing 

documentation 

09/15 23:00 

09/1517:00 

+175:07 

Thermal close-out from down side removed and submitted to 
curation team. Canister filter removed from canister base 
and submitted to curation team. Removed radiator and 
thermal shield from SRC battery. 

LMAGNJR11 Work- 

authorizing 

documentation 
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Table E-lh. Detailed Timeline of Actual Events, Thursday, Day of Year 260 


UTC-d.hr.m.s 

MDT-d.hr.m.s 

E-hrs:m:s 

Description of Event 

Source of Data 

09/16 21:05 

09/1615:05 

+197:12 

SRC battery checks: #1 = 0.791 & 0.790 Vdc; 
#2 = 0.103Vdc. 

LMAGNJR11 Work- 

authorizing 

documentation 

09/16 23:00 

09/16 17:00 

+199:07 

SRC battery removed and packed for shipment. 

IMA GNJR11 Work- 

authorizing 

documentation 

09/16 23:00 

09/16 17:00 

+199:07 

NSIs #1 and #2 removed from drogue mortar. 

LMAGNJR11 Work- 

authorizing 

documentation 

Table E-li. Detailed Timeline of Actual Events, Friday, Day of Year 261 

UTC-d.hr.m.s 

MDT-d.hr.m.s 

E-hrs:m:s 

Description of Event 

Source of Data 

09/17 18:00 

09/1712:00 

+218:07 

All 3 frangible bolts removed. DACS cable cutter (harness to 
drogue mortar) removed. Both parafoil reefing cutters 
removed. All ordnance devices packed for shipment. 

LMAGNJR11 Work- 

authorizing 

documentation 

09/17 22:00 

09/1716:00 

+222:07 

Avionics Unit A and its mounting bracket removed from heat 
shield. 

LMAGNJR11 Work- 

authorizing 

documentation 


Table E-lj. Detailed Timeline of Actual Events, Friday, Day of Year 261 


UTC-d.hr.m.s 

MDT-d.hr.m.s 

E-hrs:m:s 

Description of Event 

Source of Data 

09/20 22:00 

09/20 16:00 

+294:07 

Prepared returned SRC hardware for shipment. 

LMAGN 1R11 Work- 

authorizing 

documentation 

09/21 14:00 

09/21 08:00 

+310:07 

Returned SRC hardware (heat shield, backshell, Avionics 
Units A & B, DACS assy., main parafoil assy., assorted SRC 
components), SRC battery and ordnance loaded and 
shipped to Denver. SRC and canister would have shipped to 
JSC on Saturday 9/1 1 . 

LMAGNJR11 Work- 

authorizing 

documentation 

09/22 18:30 

09/22 12:30 

+338:37 

Returned SRC hardware put in storage for MIB direction. 
SRC hardware in EMF room 134. SRC battery in SSB 
Battery Lab. Ordnance in Ordnance Lab. 

LMAGNJR11 Work- 

authorizing 

documentation 
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APPENDIX F: "NO MAR CONTINGENCY" DOCUMENTATION INCONSISTENCIES 


Earth Targeting and 
Entry Safety Plan 
Vol. 1, JPL D- 
29358, August 16, 
2004 


3.3.1 .2.2: One additional helicopter will carry the On Scene Commander and EOD, call sign “Oscar.” During recovery it 
also will take station on Vertigo and remain clear of the MAR (approximately a 1 Nm standoff). If the MAR is successful, 
Oscar will either recommend or advise on the suitability of the location of the intermediate landing site. Oscar will stand 
off from the site until the intermediate landing and take off are completed, and then will depart the area and return to 
MAAF; or he/she and South Coast may proceed to locate and recover the drogue/DACS or to mark the impact point for 
ground recovery. 

3.3.1. 2.2.1: If the main parachute malfunctions, the Director of Flight Operations (DFO) will assess the parafoil health. If 
the parafoil flight is stable and predictable a MAR will be attempted. Otherwise, the SRC will continue to ground impact 
and the MAR helicopters will do a damage assessment. If there is no damage, the MAR helicopters will proceed with a 
recovery. If there is damage, then Oscar will secure the area until the NASA Payload and Curation teams can arrive at 
the site to assess recovery requirements. 

3.3.1 .2.2.2: If the MAR fails and the SRC continues to ground impact, the MAR Helicopters will do a damage 
assessment. If there is no damage, the MAR helicopters will proceed with a recovery. If there is damage, then Oscar 
will secure the area until the NASA Payload and Curation teams can arrive at the site to assess recovery requirements. 
3. 3. 1.2.2. 3: If the drogue chute fails then all helicopters will participate in a search for The downed SRC. Once the SRC 
is located all helicopters will depart the area except Oscar who will take charge of the impact area (i.e., secure the area) 
until the NASA Payload and Curation teams can arrive at the site to assess recovery requirements. 


Genesis Mission- 
Recovery Phase 
Systems Safety 
Plan, Vol. 3, GNS 
61000-200, JPL D- 
29566, Preliminary, 
August 2004 


Sample Return 
Capsule Recovery 
Operations Plan, 
Rev. A, GN-65100- 
100, August 23, 
2004 


A.2.5 Off-Nominal Recovery 

An entry that results in failure of the parafoil to fully deploy, failure to achieve MAR, loss of the SRC after a MAR, or 
other unforeseen conditions that result in the SRC severely impacting the ground will require contingency 
preparedness. The following line items shall be addressed in contingency planning: 
o Establish a team leader to recover the Genesis SRC 
o Establish a safety and security perimeter around the Genesis SRC 
o Review methods for approaching and securing the Genesis SRC 

o Develop strategy for working in a high temperature daytime environment, 

o Identify all potential hazards and provide remediation plans 

o A detailed written report shall be initiated while at the scene and summarized into a formal document once 
the hardware has been recovered. 

o Detailed photographs shall be taken of the scene as well as individual photos of the hardware prior to 
being handled or moved. 

4.3 Mid Air Retrieval Not Performed 

In the event of unsuccessful mid-air retrieval, or if mid-air retrieval cannot be attempted for some reason, a recovery of 
the SRC from its ground landing site will be necessary. There are two main scenarios for this recovery, distinguished by 
the availability of helicopter support, which depends on the exact nature of the contingency event. If helicopters are 
available, but mid-air retrieval is unsuccessful, the helicopters become the primary means of access to the landing site. 
If helicopter support is not possible, the fallback scenario depends on reaching the landing site by some combination of 
tracked and wheeled land vehicles. These two scenarios are detailed below. It is assumed in both cases that tracking 
by various means has provided a reasonably accurate fix on the impact location. Otherwise, the plans for reduced or no 
tracking data, outlined in Section 4.2, must be factored in. 

4.3.1 Ground Retrieval by Helicopter 

In this scenario, helicopters are available and flying, i.e., equipment available, weather acceptable, etc., but mid air 
retrieval has not been effected. There could be a number of reasons for this situation, including not reaching the SRC in 
time, not establishing visual contact for intercept, failed MAR passes, or hardware failure. Depending on the situation, 
the helicopter crews will either witness the ground impact, or will be directed to the site by Mission Control, based on 
best available tracking. In a ground landing scenario, radar tracking may be lost up to 500 feet above the ground. With 
a glide ratio of 2.5:1, the parafoil could fly up to 0.5 NM in any direction from the last known fix to ground impact, 
assuming a worst case straight glide (no spiral). After the last radar fix, the GPS/DCNS takes over as the most accurate 
location aid. The Genesis implementation of GPS is based on the Standard Positioning Service (SPS), which provides 
the following accuracy: 

o SPS Predictable Accuracy 
o 1 00 meter horizontal accuracy 

o 1 56 meter vertical accuracy 

In either case, visual sighting of the brightly colored parafoil from the air can be expected immediately upon arrival. 
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The Recovery Team Chief and helicopter crews will begin the following steps. 

1 . Prior to landing, photo-document the impact site, paying particular attention to the flight azimuth at impact, spfead of 
the divots, any actions that may have been encountered, and any signs of visible damage to the SRC. 

2. Radio a situation report to Mission Control; contact may be lost upon landing. Include a confirmation of the 
coordinate fix, using the on-board GPS system. 

3. Land at the best available safe site, at least 100 feet from the SRC. 

4. Secure the parafoil to prevent any (further) dragging by the wind. Each helicopter will have at least one crewmember 
experienced in ground handling of parachutes in windy conditions. 

5. Evaluate the SRC for damage. Note the final resting orientation of the SRC, and whether there is evidence of 
tumbling or rolling. Photodocument, and radio report to Mission Control if possible. 

6. The Recovery Team Chief will be authorized to move the SRC, according to one of the following steps: 

a. If the SRC is in a sound condition, and there is no evidence of dragging after landing or other trauma, the SRC may 
be lifted by the parafoil risers and longlined to MAAF as following a nominal intermediate landing. This is both the 
quickest and the gentlest handling and transport possible, b. If the SRC is basically intact, but there is some question 
as to the structural integrity of the latches or parafoil attach fittings, the SRC will be rolled onto the cargo net (carried 
aboard OSCAR). And the net attached to the loadline for carriage as a suspended longline load to MAAF. This provides 
the same gentle transport, but takes slightly more prep time, and incurs significantly more handling, 
c. If the SRC is judged unsound for flight tee payload team will be transported to the site. 

4.3.2 Ground Retrieval by Ground Vehicles 

If helicopter have been unable to fly, a recovery team will be transported to tee site by ground vehicles. At this time of 
year (September) much of tee range will likely be dry enough to support wheeled vehicles. Tracked vehicles will be 
stationed at Pad 83 for access to any point in tee footprint if required. The "548" as shown in Figure 4.3-1 can traverse 
most of the range terrain at 25-30 mph. It is equipped with a chain hoist capable of lifting the SRC into the bed. Figure 
4.3-2 shows a MAR test vehicle being loaded aboard tee 548 after a bare pole training flight. 

The Recovery Team Chief and helicopter crews will begin tee following steps. 

1 . Photo-document the impact site, paying particular attention to tee flight azimuth at impact, spread of the divots, any 
obstructions that may have been encountered, and any signs of visible damage to the SRC. 

2. Radio a situation report to Mission Control; contact may be lost upon landing. Include a confirmation of the 
coordinate fix, using the on-board GPS system. 

3. Secure the parafoil to prevent any (further) dragging by the wind. The ground team will have at least one 
crewmember experienced in ground handling of parachutes in windy conditions. 

4. Evaluate the SRC for damage. Note the final resting orientation of the SRC, and whether there is evidence of 
tumbling or rolling. Photodocument, and radio report to Mission Control if possible 

5. Recover the damaged SRC per the procedures in the Genesis SRC Ground Operations For Solar Wind Recovery 

14.8 Failed Capture, SRC Lands on the Ground 

In the event that the MAR helicopters are unable to MAR the SRC, the SRC will land on the ground, under parafoil. 

The SRC airframe will likely be undamaged. With approval from the On-Scene Commander, both helicopters will land 
and perform a normal intermediate landing, without the landing pad. 

14.9 Failed Main Parachute 

In the event teat the main parachute malfunctions such that it is not safe to MAR, the SRC will land on the ground with 
an increased descent rate. With On-Scene Commander approval, bote MAR helicopters will land near the SRC. If the 
SRC airframe is undamaged, a normal intermediate landing will be performed, without the landing pad. If the SRC 
airframe is damaged, curation experts will be consulted by radio. Depending on the condition of the SRC airframe, tee 
SRC will be ferried to Building 1012 in tee normal fashion, towed by its risers, or if more severely damaged, towed 
inside a sling. 
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Utah Test and 
Training Range 
Mission Safety 
Review , Control 
Number 2004-12 


Genesis Mission 
Sample Return 
Contingency 
Communications 
Team Operations 
Plan 



1 .3.3.2. One additional helicopter will carry the On Scene Commander and EOD, call sign “Oscar." During recovery it 
also will take station on Vertigo and remain clear of the MAR (approximately a 1 nm standoff). If the MAR is successful, 
Oscar will either recommend or advise on the suitability of the location of the intermediate landing site. Oscar will stand 
off from the site until the intermediate landing and take off are completed, and then will depart the area and return to 
MAAF; or he/she and South Coast may proceed to locate and recover the drogue/DACS or to mark the impact point for 
ground recovery. 

1 . 3.3.2. 1 . If the main parachute malfunctions, the Director of Flight Operations (DFO) will assess the parafoil health. If 
the parafoil flight is stable and predictable a MAR will be attempted. Otherwise, the SRC will continue to ground impact 
and the MAR helicopters will do a damage assessment. If there is no damage, the MAR helicopters will proceed with a 
recovery. If there is damage, then Oscar will secure the area until the NASA Payload and Curation teams can arrive at 
the site to assess recovery requirements. 

1 .3.3.2.2. If the MAR fails and the SRC continues to ground impact, the MAR helicopters will do a damage assessment. 
If there is no damage, the MAR helicopters will proceed with a recovery. If there is damage, then Oscar will secure the 
area until the NASA Payload and Curation teams can arrive at the site to assess recovery requirements. 

1 .3.3.2.3. If the drogue chute fails then all helicopters will participate in a search for the downed SRC. Once the SRC is 
located all helicopters will depart the area except Oscar who will take charge of the impact area (i.e., secure the area) 
until the NASA Payload and Curation teams can arrive at the site to assess recovery requirements. 

Note: All of the preceding operational descriptions are abbreviated from the detailed plans contained in the Genesis 
Crew Training and Procedures Manual (Tab 4) and Genesis Mid-Air Retrieval Mission Plan (Tab 4). These documents 
also provide detailed descriptions of the mechanical systems involved in the operation. Please refer to these 
documents for a more detailed description of the processes and procedures that will be used for training and the actual 
recovery. 


Table 1. Re-Entry Contingency Types 

2. An off-nominal flight profile results in impact of the SRC and perhaps the spacecraft bus onto the UTTR or its Region of Influence 
(ROI). 

This type of contingency will continue to be largely handled by elements of the Genesis Recovery Team and the UTTR related units 
supporting them. However, this may require involvement of the Contingency Response Team to notify local civilian authorities through 
FEMA contacts to identify and secure areas believed impacted by the spacecraft until arrival of the Recovery Team. 

Appendix B: NASA Public Affairs Information for Use in Contingency Commentary 
Drogue Chute and/or Parafoil Do Not Deploy 

The capsule's drogue parachute deploys about 2 minutes after it enters Earth's atmosphere when it is over the Utah Test & Training 
Range. In a best-case scenario, the deployment may be visible on-camera. The purpose of the drogue chute is primarily to stabilize 
the capsule; slowing it down is a secondary purpose. A contingency could take any of several forms - the drogue chute could shred 
but function at least partially, or it may fail altogether. In some scenarios, the drogue chute may not deploy properly, but the parafoil 
could still deploy and function. 

Any contingency would be visible either on optical trackers or on radar, which will be able to monitor the speed of the capsule. If no 
chutes deploy, the capsule will hit the ground at about 100 mph. If only the drogue deploys, the final speed would be 60-70 mph. If the 
parafoil deploys, the final speed is about 30 mph. 

The chase helicopters remain on the perimeter of the target ellipse until confirmation of parafoil deployment, after which they move in 
to capture it. In the event of a contingency, the helicopters would remain outside the ellipse until radar confirms the capsule has 
reached the ground, after which the helicopters would go in to locate the capsule. 
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Genesis Mishap Investigation Board 

Fault Tree Closeout Record 

Date: 11/15/04 


FAULT TREE ELEMENT/SI : 

2.12 Avionics Shorted 


SCENARIO : 

After the battery depassivation, the avionics boxes shorted out internally resulting in insufficient current to fire the drogue 
mortar initiators. 


ARGUMENTS FOR: 


Avionics boxes shorted out internally as a result of battery depassivation. 


ARGUMENTS AGAINST : 

See the detailed arguments below. 


DEDUCTIONS: 


Post impact inspection and continuity testing of the Box A avionics Relay and EST cards revealed no power to ground shorts. 
Functional testing of the Box A EST card proves there are no internal avionics shorts of any kind within EST card S/N 001. 
Thus, at least one of the two Avionics Boxes was functional with no internal shorts. 

Post impact inspection and continuity testing of the Box B avionics cards revealed no power to ground shorts on the relay card. 
Power to ground shorts were found on the EST Card however there was no visual evidence of these shorts. Lack of such 
evidence is suggestive that the measured power to ground shorts were due to crash damage. 


CONTRIBUTION OF THIS BLOCK TO FAILURE IS: 


N-Not Credible 

Source of Data: 

Telemetry: 
Photography/Video: 
Physical Evidence: 

Check 

Applicable 

□ 

□ 

0 

Description 

Genesis RFA #44 Internal Inspections of the Flight Avionics 

Boxes 



Test: 


GN_RFA-114, SRC Avionics (A) EST Board Characterization 

Analysis: 

□ 


Other: 


LMA Dwa No 915A1601001 Event Sequence Timer Schematic 


Diagram, LMA Dwa No 915A1603001 SRC Avionics Relay Board Schematic Diagram, LMA Dwq No 
915A1602001 Low Speed Interface Motor Schematic Diagram, MIL-PRF-30017F Relays, Electromagnetic. 
Established Reliability. Genesis ATLO GN 3S40. SRC Return Avionics Test. Pretest Checklist Date 6-27- 
00. Genesis ATLO GN 3S40 A. SRC Return Avionics Test. Pretest Checklist Date 7-21-00 


Prepared by: Jerry Dalton/Avionics/818-393-2398 

MIB Approval: 
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Appendix G 


G. Internal Inspections of Flight Avionics Boxes 
G.1 Avionics Box A (good) 

A continuity test was performed at the box level on the power inputs for Avionics Box A. Continuity 
was measured from power-to-ground and power-to-power for all power nets accessible from the 
external connectors. There were no shorts. Continuity was also measured at the box level from each 
separate pvro output-to-ground and from each separate pvro output-to-pyro output. There were no 
shorts. 

Avionics Box A was disassembled for card inspection. Circuit card inspection revealed the 
following: 

Relay Card S/N 001. The relay card was in very good condition (Figure G-l), showing very 
little visible damage. PI was cracked but appeared functional (Figure G-2). There was no sign of 
overstress that would indicate a relay card power-to-ground short. There was no discoloration, 
delaminating, or burning of the PCB or conformal coating. 

A card-level continuity test was performed. Continuity was measured from power-to-ground and 
power-to power-for all primary power nets. There were no shorts. 

Relay state was checked by probing test points and relay pins with a digital multimeter set to 
measure continuity'. The results were inconclusive and suggestive of internal relay damage. Relays are 
considered fragile — LMA’s relay failure analyst indicated that relays can be damaged by dropping 
them a few feet to the bench. The relay damage was most likely due to impact. Refer to MIL-PRF- 
3901 7F for detailed relay specifications. 

EST Card S/N 001. The EST card was in good condition. A slight deformation in the center 
of the board was observed, estimated to be about 0.062 inches. Connector J2 had been sheared off 
the board (Figure G-3), but there was no other visible damage. There was no sign of overstress that 
would indicate an EST card power-to-ground short, such as discoloration, delaminating, or burning 
of the PCB or conformal coating. 

There was no indication of overstress to the secondary voltage regulators. The 0.375-A UHF 
Beacon power fuse and 5-A GPS power fuse appeared normal, with no visible evidence of damage or 
overstress. Continuity tests verified the integrity of the fuses. 

A card-level continuity test was performed. Continuity was measured from power-to-ground and 
power-to-power for each primary and secondary power net. There were no shorts. 

Continuity was also measured at the card level from each separate pvro output-to-ground and 
from each separate pyro output-to-pyro output. There were no shorts. 
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Figure G-2. Cracked PI Connector on Relay Card SN 001 
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Fuses 


PI (missing) 


5-V Regulators 


Figure G-3. Avionics Box A EST Card SN 001 


MDE Card S/N 002. The MDE card was in very good condition (Figure G-4). A slight 
deformation of the board was observed, less than the FIST. The two 5 -A 28- V spacecraft power fuses 
appeared normal with no visible evidence of damage or overstress. Continuity tests verified the 
integrity of the fuses. The hybrid DC/DC secondary voltage converter appeared normal with no 
evidence of damage or overstress. 

G.2 Avionics Box B (smashed) 

The connectors and the backplane on Avionics Box B were extensively damaged. Box-level 
continuity testing was not possible on Box B. 

Avionics Box B was disassembled for card inspection. Circuit card inspection revealed the 
following: 

Relay Card S/N 002. The relay card was in bad condition. There was obvious physical damage 
to the board and relays (Figure G-5). However, there was net sign of overstress that would indicate a 
relay card power-to-ground short. There was no discoloration, delaminating, or burning of the PCB 
or conformal coating. 

A card-level continuity test was performed. Continuity was measured from power-to-ground anti 
power-to-power for all primary power nets. There were no shorts. 

Relay state was not checked because of obvious physical damage to the relays. 
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Figure G-5. Avionics Box B Relay Card SN 002 
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EST Card S/N 002. The EST card was heavily damaged. The connectors were smashed and 
badly deformed; there was extensive damage to the PWB near one corner (see Figures G-6 and G-7). 
However, there was no visible sign of overstress that would indicate an EST card power-to-ground 
short, such as discoloration or burning of the PCB or conformal coating. 

There was no indication of overstress to the secondary' voltage regulators. The 0.375-A UHF 
Beacon power fuse and 5-A GPS power fuse appeared normal with no visible evidence of damage or 
overstress. Continuity tests verified the integrity of the fuses. 



Note physical 
damage in this 
comer. 


Figure G-6. Avionics Box B EST Card SN 002 
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Figure G-7. EST SN002 PI Connector 


Damage to the connectors prevented their use for card-level continuity tests; therefore, testing 
was performed by probing board solder joints through the conformal coating. Primary and secondary 
ground nets were shorted to ground and to each other. Pins touching each other on the smashed 
connector may have been responsible for the shorts (Figure G-8). If these shorts had occurred while 
the circuit was powered, there would have been considerable heat generated. However, the lack of 
visual evidence such as discoloration, burning, or melting of the PCB suggests the power-to-ground 
shorting of the EST card was due to crash damage and not an in-flight failure. 

Pyro output continuity testing could not be performed because of connector damage. 
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Figure G-8. EST SN 002 J2 Connector 

MDt Card S/N 003. The MDE card was in bad condition, with extensive damage to the 
components and board near the PI connector (Figure Ci-O). I lowever, the two 5- A 28 \ ; spacecraft 
power fuses escaped damage and appeared normal, with no visible evidence of damage or overstress. 
Continuity tests verified the integrity of the fuses. 
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Figure 9. Avionics Box B MDE Card SN 003 


G.3 Pre-Launch System Testing 

Two separate hardware test sets were used for system testing; GN-3S342, a.k.a. the “suitcase” test set 
and GN-3S340, the ATLO test set. The ‘ ‘suitcase” test set was used after environmental testing and 
at Cape Kennedy. Although performed closer to launch than the ATLO tests, the “suitcase” tests 
were not useful for verifying the functionality of both avionics boxes, because the test reports do not 
state which box (1 or 2) was tested. 

During the ATLO phase, SRC Avionics was tested to verify SRC return avionics performance 
(see reference documents 6 and 7, Genesis ATLO SRC Return Avionics Test Reports for details). The 
ATLO test results provide verification that both avionics boxes were functional. The latest ATLO 
test report, ATLO GN_3S40_A, SRC Return Avionics Test, contains a pretest checklist dated )uly 21, 
2000 (i.e., the verification test took place on or after that day). 

C,4 Post-Impact Functional Test of EST Card 

The following is based on information obtained during test procedure GN_RFA-1 14, SRC Avionics 
(A) EST Board Characterization. 
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The almost pristine condition of EST S/N 001 from Box A facilitated a powered card-level 
functional test of the EST using the LMA Genesis SRC Avionics test set (see RFA #114). The relay 
card was not tested because of (suspected) post-impact damage to the relays. The test set was 
checked out using the EDU EST card. Connector P2 of the EST card was replaced and the card was 
tested. 

EST S/N 001 successfully completed two sets of pvro signal timing and output voltage tests. 
There was one parametric failure — drogue chute deploy was 1 5 milliseconds late (test limit is 
5600 ms ± 150 ms) on one of the riming tests. The delay may have been due to the test equipment, 
perhaps a slow relay, rather than the card as all subsequent rimers within that riming set exhibited 
approximately the same delay (the test rack had been in storage for a number of years.) See following 
table for a summary of the detailed results of the timing tests. 


Table G-1. EST SN 001 Summary of Card-Level Functional Test Timing Results (ms) 




Drogue 

Drogue 

Main Chute 

UHF/GPS 



Deploy 

Harness Cut 1 

Deploy 

Beacons 



5.6 ± .15 sec. 

80.6 ± 0.5 sec. 

259.2 ± 0.5 sec. 

261 4 ± 0.5 sec. 


Droque only 

5,737 

N/A 

N/A 

N/A 


Simultaneous G-siqnals 

5,744 

80,739 

259727 

261426 

CD 

W 

Skewed G-siqnals #1 

5,679 

80,674 

259,662 

N/A 

% 

Skewed G-siqnals #2 

5,770 2 

80,765 

259,753 

261,453 


Deploy main w/pressure 
switch 

N/A 

N/A 

103,195 

N/A 



Droque only 

5,716 

N/A 

N/A 

N/A 


Simultaneous G-siqnals 

5,741 

80,736 

259,724 


CD 

(/> 

Skewed G-siqnals #1 


80,685 

259,763 

N/A 


Skewed G-siqnals #2 

5,720 

80,715 

259,703 

261,403 

ro 

Deploy main w/pressure 
switch 

Stop Test 


N/A = Not Applicable, data not collected for this step. 


1 One of two drogue harness circuits has open timing resistors on an input to one AND' gate. 

2 Parametric failure; test limit = 5,600 ms ± 150 ms. 
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